Re: Practical Firewall Metrics (rant)

["Paul D. Robertson" <proberts () clark net>]

On Fri, 20 Feb 1998 tqbf () secnet com wrote:

[snip]

> What I'm interested in is evaluation of the network "engine" (excuse me
> for using that term) of a firewall. To take a simplified example, I'd like
> to see widely accepted tests for static packet filter implementations (can
> I get past it with IP fragmentation? does SYN+FIN slip past an
> "established" filter?). I think it's reasonable to say that a test suite
> which limits itself in scope to the (say) packet filter implementation
> would have some value.

This becomes increasingly difficult with dynamic packet filtering, where 
the test tool needs to know to test the inbound packets after an outbound 
packet, and things like that.  For static filtering, it's fairly easily 
done, but in the case of filters that don't always exhibit the same 
behaviour, testing them sufficiently is increasingly complex and requires 
some sort of inside/outside testing mechanism that is cooperative.  

I agree that there is value in having such tools, I'm just not sure it's 
likely that they'll test things in such a way that creates useful results 
without being very complex beasts if we take into account dynamic filters.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280