Nomoa.com

Paving the way for .NET in Tonga

OpenBSD

Categories
Main Menu

[ Syndication ]

Subscribe to Our RSS Feed Subscribe to Comments Feed Signup for MSN Alerts to Nomoa.com: Articles Signup for Yahoo Alerts to Nomoa.com :: News Articles
Google Ads
Mind Dumps Go Here + Low ~ No Cost Technology 4 Productivity + OpenBSD
Browse in : All > Soap Box
All > Soap Box > Low No Cost Tech
All > Soap Box > OpenBSD
Any of these categories - All of these categories

Test that firewall

Soap Box
Posted by: Samiuela LV Taufa on July 09, 2008 11:48:53 AM

Had my first session of validating firewall rules on Monday and Tuesday, wohooo that’s an experience. My previous installations were of small systems, so I have previous experience in ‘drafting’ the firewall rules, putting it in and letting it go live. Testing and validating the firewall essentially meant sitting there in front of the firewall server and watching traffic, tweaking issues as they became known.

Firewalls are the quality of the walls between buildings. The higher grade your firewall, the higher probability your building isn’t going to burn down, should the building next door go up in flames.

The quality of the construction material of your firewall is just part of the toolkit for minimising danger to your building, you also need to ensure that there’s no open passage for the fire to enter your building while avoiding your firewall barrier. One building that went up in flames had a decent firewall, but they had large ventilation shafts between the building and the next building, leading directly to highly combustible material. Fire from the adjoining building spread into our building through the ventilation shafts and the building came down, while the firewall held firm.

The burnt building looked like the aftermath of a bombing, the inside collapsed in soot while the firewall stood alone.

Lesson 1: Physical firewalls have the same limitations as their electronic / communications firewall counter-parts. They are only as good as the material their built with, and the ventilation shafts between your side of the firewall and the next.

Unless you want to burn your firewall to test it, the general idea is to test the materials and the process of producing your firewall.

With our computer firewall firewall, we have existing best practise procedures for designing and building the firewall, and we’re now in the stage of testing the “ventilation” shafts built into our firewalls to validate whether the rules we’ve set up for what to allow in and out through the ventilation shafts behave as we expect.

I haven’t heard of any automated tools for doing the testing, so if you’ve heard of one please do tell us.

At the moment the process of testing the open ventilation shafts (in computer speak “open ports”) is to set up a simulated network on either side of our firewall and generate network traffic trying to get through the firewall in both directions. Unfortunately, the generated cannot be purely random, each “open port” or “potentially open port” has to have a specific test.

Unless you have the money, you can’t really duplicate your live network in this test environment, so you end up spending a lot of time doing the network configuration dance, continuously readjusting your various test machines to simulate other machines and providing different services as well as simulating trying to get through the firewall to the other side.

Lesson 2: You really want a set of command-line tools for doing this. Windows greater user-feedback (GUI?) is nice, but it can really use up your time when things don’t work as expected (and how often is that the truth in a test environment.)

This is when it’s good to have several machines on an independent set of networks (i.e. at minimum you’re testing the firewall with two networks) but just as importantly several monitors, keyboards, and a cool smooth swivel chair to spin around in.

Don’t bother doing this using terminal/ssh connections, that is just a recipe for frustration and avoiding configuration options you need to consider (because often enough changes you need to do will throw you out of your terminal/ssh session)

Lesson 3: Physical hardware is way cooler than the virtual world on its own.

Most of what we tested only needed testing a direct connection to the server, but our last test before quitting for the day last night was to test whether a connection from a connection would go through on a virtual connection (VPN.) Woo hoo, that wasn’t easy, but it wasn’t as hard as initially expected (since we’d done similar stuff previously.)

If you’ve got almost the cash, where you can’t afford a full simulated network, but can afford a good size beefy duo of machines for either side of the simulated network, then you would probably go with using a network of virtual machines on either side of your firewall. Now, that would be way cool, but I don’t think my laptop is beefy enough (yet)

Oh yeah, my preferred firewall ? OpenBSD with PF, of course. For user VPNs, I’m doing pretty good with installing OpenVPN.

print view
Next >  
< Previous  
PermaLink

There are no comments attached to this item.

Options :
View Article Map
Log In to Contribute
View Archives