[Discuss] firewall testing

[Tom Metro]

Do you test your firewall?

Given the complexity of firewall rules, they're highly error prone. A
small typo could easily open up a hole.

I don't mean the simple and obvious port scan, but something more
sophisticated. Do you have a test suite for your firewall? If so, what
tools do you use?

Has the DevOps practice of automated testing reached firewalls?


Is there any hope of finding holes like this one:
http://arstechnica.com/security/2014/04/easter-egg-dsl-router-patch-merely-hides-backdoor-instead-of-closing-it/

(It uses a specially crafted Ethernet packet to act as a port knock that
then opens up a TCP port that accepts administrative commands.)

Not likely, but once it is known, a test for it could be added to a
regression suite. (Although there is the complication of how you execute
the test, given you need access to the Ethernet on the WAN side of your
router (a server out in the cloud wont do). So you'll need a tap or a hub.)

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/