Re: Effect of full disk on logging under FW-1 v 2.1?

[Christopher Nicholls <chrisn () softway com au>]

At 10:03 10/02/98 +0100, Manuel.Gil () gecits-eu com wrote:
> There is a test in DataCom WEB site, where you can find information about
> the status of the Firewall-1 after you fill the disk with the log.
>
> http://www.data.com/lab_tests/firewalls97.html
>
> They say exactly:
>
>                   The fourth attack involves filling the disk of the
> firewall. If such an assault is mounted, a firewall should shut down. Only
> those
>                              products from Altavista, Cyberguard, Netguard
> (Migdal Ha-Emek, Israel), Sun, and Trusted Information Systems Inc. (TIS,
>                              Rockville, Md.) did so (the last two because
> they run on Solaris, which shuts down in response to a full disk; versions
> of TIS for
>                              other operating systems will continue to
> operate). The next best thing would be to continue operating but deny all
> external
>                              access attempts--which is what firewalls from
> IBM and Milkyway did. All other products continued to operate normally,
> which
>                              raises a major security concern if logging
> occurs on the firewall machine. Ideally, logs should be kept on an external
> machine or
>                              moved frequently to read-only media.
Folks,

If the firewall shuts down when the log disk fills up, as per the first
part of the quote above - doesn't that amount to a successful
denial-of-service attack?

Regards

Christopher

-----------------------------------------------------------------------------
Christopher Nicholls
chrisn () dynamite com au   ~~~~~~~   chrisn () softway com au
-----------------------------------------------------------------------------
m:      0411 454755     
w:      +61 2 6243 4834 h:      +61 2 6241 2112
wf:     +61 2 6243 4848 hf:     +61 2 6241 8926

"The good news is... there's no bad news...."