Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] firewall testing



Do you test your firewall?

Given the complexity of firewall rules, they're highly error prone. A
small typo could easily open up a hole.

I don't mean the simple and obvious port scan, but something more
sophisticated. Do you have a test suite for your firewall? If so, what
tools do you use?

Has the DevOps practice of automated testing reached firewalls?


Is there any hope of finding holes like this one:
http://arstechnica.com/security/2014/04/easter-egg-dsl-router-patch-merely-hides-backdoor-instead-of-closing-it/

(It uses a specially crafted Ethernet packet to act as a port knock that
then opens up a TCP port that accepts administrative commands.)

Not likely, but once it is known, a test for it could be added to a
regression suite. (Although there is the complication of how you execute
the test, given you need access to the Ethernet on the WAN side of your
router (a server out in the cloud wont do). So you'll need a tap or a hub.)

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org