Some errors in the firewall test

2011-01-10  来源:本站原创  分类:Internet  人气:75 

Copyleft this document owned by yfydz all, the use of GPL, free to copy, reprint, reproduced keep the documents for completeness, for any commercial purposes is strictly prohibited.
msn: [email protected]

1.   Preface
  Firewall testing is currently no real test standard, so many of them simply rely on testers to provide some standard test  ,  Common tester has SmartBit and  Ixia,  Domestic use of a variety of tests SmartBit more than some of  .

  Tester is mainly based on RFC2544 to test the basic performance of network equipment  ,  Such as throughput. Latency  .  Packet loss rate. Back to back, etc.  ,  These routers are  (IP  Layer )  Levels of performance parameters  :  But can also do some performance testing of the transport layer, such as the maximum number of connections  ,  Maximum connection establishment rate  :  You can also attack the test, types of attacks, including of death.syn sweep.smurf  And so the principle of these attacks is described in the previous article had  .

  Tests in previous years, performance testing and functional testing is separate from the test  ,  The configuration can be different between the two  :  The new trend in the past two years testing performance testing is functional testing is done using the same configuration, the same configuration and performance testing completion  ,  In this case there is a problem in fact  .

2.   Mistakes  

  Currently the throughput of these tester package testing hair is UDP7 package  ,  Port 7 is  echo  Services, all packages are the same source and destination address  ,  This large flow of packets in the firewall appears to be the same problem, should be attributed to  udp flood  The list, imagine if a machine in the utility of such a large number of issued  UDP  Packet firewall did not report the exception and let the network bandwidth is occupied  ,  Estimates will paralyze the entire network, network management estimates that the firewall can not reuse it  .  A good test should be a way to package the source and destination addresses to be dynamic, to imitate the actual data flow  ,  Firewalls can be used as a normal package, so the result was more accurate  ,  But seems unable to pronounce the tester such package. If the purpose is the same source  IP  Package, it should turn off the firewall in the confirmation  UDP flood  The defense, which also examined whether the firewall is the way a test  UDP flood  Ability. The same reason  ,  Maximum number of connections in the test and the maximum rate if the connection is established, packets are sent with the same address, then the firewall should be regarded as  DOS  Attack, in which case the test results are not reliable  ,  Issued by the tester package should be connected to a different address  .

  In the attack test, generally of course, is that package through, the better attack  ,  So in some firewalls do occur in the test reports that no one in seven attacks package through firewalls, but it is also a little problem  .  Those attacks test, of death.teardrop.smurf belong to a feature package  ,  All blocking is no problem, for  syn flood,  Or the use of syn proxy  syn cookie  If all the technology can also be blocked, because the tester does not send  ACK  Package, and in many cases even these technologies do not need this  ,  Because the SYN packet sent tester basically do not have  TCP  Option, you can lose  :ping flood  And ping sweep is normal practice  ping  Package can only be identified by statistical methods  ,  When the contract under the speed down to a certain extent, become a normal ping function application  ,  Through the firewall to allow ping packets in the case of how many will be starting with some of the  ,  After some statistical identified only after a ping flood or  ping sweep,  If the test results are all blocked, but there is a problem that the firewall  ,  Do not rely on statistical functions to identify ping flood / sweep, but by all the blocking  ping  Package to defense, but to limit the normal  ping  Features are used  .

3.   Conclusion  

 Firewall tester tester can not just look at the output figures to determine the firewall is good or bad, but should really understand what is behind various tests  ,  Unfortunately, at present many testers test or only know how to walk again after the test instrument to sort the numbers and not by any analysis  .
  • Some errors in the firewall test 2011-01-10

    Copyleft this document owned by yfydz all, the use of GPL, free to copy, reprint, reproduced keep the documents for completeness, for any commercial purposes is strictly prohibited. msn: [email protected] Source: 1. Preface

  • struts2.0 + spring2.0 + hibernate3.1 complete process integration of multi-layer model of common errors (change) 2010-04-16

    Looking for entry-level, but the error solution for your reference. In this use MyEclipse6.0 as a programming environment, and truly comprehend after ssh, you know MyEclipse add spring and hibernate Support intention is automatically added to MyEclip

  • SQL Server connection in the collection of the four most common errors 2010-06-14

    SQL Server connection in the four most common errors: 1. "SQL Server does not exist or access denied" This is the most complex, errors occur because more and more also needs to be checked more. Generally speaking, there are several possibilities

  • 12 personal firewall software landscape evaluation 2010-07-21

    12 personal firewall software landscape evaluation 2009-04-24 23:01 Today, in many cases relating to computer security issues, we often mention such a word, this is the "firewall." And anti-virus software is mainly responsible for different issu

  • Linux in the build-vsftpd vsftpd can not properly access the firewall settings 2010-08-18

    1. Permissions can not lead a normal visit vsftpd After installing vsftpd software, ftp default home directory is / var / ftp, is this / var / ftp permissions set errors, and the directory permissions are not open to all privileges; that you run chmo

  • AndFire Firewall 1.2 release 2010-08-29

    AndFire is a android firewal software, It support to message filter, block calls, app firewall, ftp pop3 smtp block and virus firewall.You can block some network application software to help you save flow! AndFire Android is a firewall software, main

  • Configure the linux transparent firewall bridge turn 2010-10-05

    First, the transparent firewall and transparent proxy concept In general, two network interfaces firewall should belong to two different networks, the system administrator-defined access rules in data packets transmitted between the two interfaces, o

  • struts2.0 + spring2.0 + hibernate3.1 whole process of integration of multi-layer model of common errors (transfer) 2010-11-11

    Look for entry-level, but the bug is fixed for your reference. As used here MyEclipse6.0 programming environment, the real insight ssh, the will know to add spring and hibernate support for MyEclipse was intended only to spring and hibernate MyEclips

  • linux solutions to common errors 2010-12-27

    10, pam 11, refused to ssh login (user) a. / etc / ssh / sshd_config denyusers user b.pam in / etc / security / access.conf / Etc / pam.d / sshd ¥¥¥¥¥¥¥¥¥¥¥¥ A, MBR error. ¥¥¥¥¥¥¥¥¥¥¥¥¥ Second grub.conf Third, / etc / inittab ¥¥¥¥¥¥¥¥¥¥¥¥¥ IV mount /

  • Common errors broadband connection 2010-12-28

    Broadband connection error 691 (the domain user name or password is invalid and denied access) / Error 635 (Unknown error) in the treatment process is as follows: (1) username and password fill in error (2) fill out correctly if the user ID and passw

  • Oracle connectivity solutions related errors 2011-07-08

    Oracle connectivity solutions related errors (go on step by step inspection, proved any connection-related errors can be resolved) 1, Ping a) Network b) Firewall 2, Tnsping a) Tnsping just tell you at least listen properly is normal. b) Tnsnames.ora

  • psad, fwknop, and fwsnort and other well-known open source security software developer on the Linux firewall 2009-07-29

    Network attacks are increasingly seems to get the upper hand. Will be heard almost every day there were new attacks against software vulnerabilities, or is there a more effective way to spread spam (inbox, I can attest to that), or is a company or go

  • Ruby common errors and solutions 2009-10-05

    Ruby common errors and solutions (update ...) module test def add_up(x,y) return x+y end end puts add_up(100,89) Above code, the implementation of the following two errors. Error 1: class / module name must be CONSTANT Solution: Module names should b

  • Struts, html: errors does not show a solution 2010-03-29

    Copyright Statement: original works, allowing reproduced, reproduced hyperlink when you make sure to indicate the form of the article Original Source , Author information and this statement. Otherwise held accountable by law.

  • The 25 most dangerous programming errors 2010-03-29

    1. Cross-site scripting attacks (4) 2. SQL Injection (3) 3. Classic buffer overflow (1) 4. Cross-site request forgery (7) 5. Is not the correct access control (authorization) 6. In security decision-making rely on untrusted input 7. Is not properly l

  • Serious: Error listenerStart serious: Context [] startup failed due to previous errors 2010-03-29

    Release time to deploy a java and flex project integrated a moment when an exception: 2010-1-20 16:52:26 org.apache.catalina.core.AprLifecycleListener init Information: The APR based Apache Tomcat Native library which allows optimal performance in pr

  • Spring Common Errors 2010-04-13

    Phenomenon 1: org.springframework.beans.factory.BeanCreationException: Error creating bean with name''''defined in null: Can''t resolve reference to bean''txAdvice''while setting property'' advice

  • Swing in the process of multi-threaded coding errors (SwingUtilities) 2009-06-09

    [Notes] Swing in the process of multi-threaded coding errors A lot of academic JAVA programmers are starting from the Swing, but many people AWT GUI thread is not too deep understanding of the mechanism, or claim to have been only to understand the c

  • Common Errors in Setting Java Heap Size 2008-11-28

    Two JVM options are often used to tune JVM heap size: -Xmx for maximum heap size, and -Xms for initial heap size. Here are some common mistakes I have seen when using them: * Missing m, M, g or G at the end (they are case insensitive). For example, j

  • CSS page layout are often guilty of several small errors 2008-09-17

    CSS page layout are often guilty of several small errors: 1. Check HTML element if there spelling mistakes, they forget the closing tag, even old hands are often mistaken div nested relations. Can use the validation features dreamweaver check for err