Firewall Wizards mailing list archives
Re: Practical Firewall Metrics (rant)
From: "Paul D. Robertson" <proberts () clark net>
Date: Sun, 22 Feb 1998 09:16:48 -0500 (EST)
On Fri, 20 Feb 1998 tqbf () secnet com wrote: [snip]
What I'm interested in is evaluation of the network "engine" (excuse me for using that term) of a firewall. To take a simplified example, I'd like to see widely accepted tests for static packet filter implementations (can I get past it with IP fragmentation? does SYN+FIN slip past an "established" filter?). I think it's reasonable to say that a test suite which limits itself in scope to the (say) packet filter implementation would have some value.
This becomes increasingly difficult with dynamic packet filtering, where the test tool needs to know to test the inbound packets after an outbound packet, and things like that. For static filtering, it's fairly easily done, but in the case of filters that don't always exhibit the same behaviour, testing them sufficiently is increasingly complex and requires some sort of inside/outside testing mechanism that is cooperative. I agree that there is value in having such tools, I'm just not sure it's likely that they'll test things in such a way that creates useful results without being very complex beasts if we take into account dynamic filters. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Practical Firewall Metrics (rant) tqbf (Feb 21)
- Re: Practical Firewall Metrics (rant) Paul D. Robertson (Feb 24)
- Re: Practical Firewall Metrics (rant) tqbf (Feb 24)
- <Possible follow-ups>
- RE: Practical Firewall Metrics (rant) Biggerstaff, Craig T (Feb 24)
- Re: Practical Firewall Metrics (rant) Paul D. Robertson (Feb 24)