>Date: Mon, 30 Jan 95 12:56:20 -0500
>Message-Id: <9501301756 .
AA27260 @
uvs1 .
orl .
mmc .
com>
>From: padgett @
tccslr .
dnet .
mmc .
com (A. Padgett Peterson, P.E. Information
> Security)
>To: "firewalls%greatcircle .
com @
theopolis"@uvs1.dnet.mmc.com
>Subject: Testing firewalls
>Sender: firewalls-owner @
GreatCircle .
COM
>Precedence: bulk
>Dr. Frederick B. Cohen wrote...
>> One of the things I don't hear much about in this forum is
>> people testing their firewalls. [...]
>
>One of the big problems here is "where do you test it from ?" If done from
>the inside, you do not test any rules that say "my nodes are ok but not..."
>however since most people have only one or two POPs (using Points of
>Presence in its most literal meaning here), this is a real problem.
Not quite sure what you mean here. Testing inside, on a test network with
a screening router, etc. is IMHO a good thing[tm]. First of all, it gives
you the ability to attack with much more bandwidth than most A-6s would get
coming in from outside your site, giving you a leg up on some DOS attacks
to base TCP or UDP services (echo, daytime ...).
>
>As a consequence, a proper functionality test must be done from a remote
>site that allows such things to be done (a good firewall won't). One
>possibility would be to arrange for a node at your service provider's
>site, another might be a local university (for a real real-world test).
>
If you're really pressed, set-up fee, phone time, etc. won't be more
than US$50 (in most major US cities) to get a dial-up PPP account with either
a local or national ISP for 30 days, from which you can attack at will.
Anyway, it's always a good idea to have a second POP, just in case your
primary goes down...
Not quite as important as ensuring your phone system has Foreign Exchange
capability, but the same concept.
[snip]
> Warmly,
> Padgett
Paul.
|
|
