测试防火墙行为问题

Test your firewalls for behavior problems
测试防火墙行为问题

《endurer注：1。behavior problem:行为问题》

Blogger: Tom Olzak
博客：Tom Olzak
翻译：endurer

Category: Security, IT Management, networking, Firewall
分类：安全，IT管理,网络，防火墙
Tags: Firewall, Network, Tom Olzak
标签：防火墙，网络，Tom Olzak
英文来源：​​​http://blogs.techrepublic.com.com/security/?p=235&promo=030&tag=nl.e030&cval=TR_today&ctype=default​​

The venerable firewall is used for several purposes, including network perimeter defense and network segmentation. We all rely on the effectiveness of these devices to prevent the bad guys from getting onto the network and from compromised systems connecting with an attacker’s system across the Internet. But when was the last time you conducted a test to see if your firewalls are behaving the way you believe you configured them to behave?
防火墙用于几个目的，包括网络周边防御和网络分割。我们全依赖它们的效力来防止坏蛋通过Internet连接到受害电脑进入网络。

The most conscientious engineer will plan, configure, and then double-check his or her work. However, nobody’s perfect. Further, the changing nature of a business network might result in configuration drift. In other words, minor tweaks over time to make new or updated solutions work — or work better — might weaken the original defense presented by your firewalls. Testing new configurations, and occasional testing of existing configurations, should be included in any organization’s security program.
绝大多数有责任心的工程师将规划，配置，然后双检他或她的工作。然而，人无完人。加之，企业网络自然改变可能造成配置漂移。换句话说，微小的改动随着时间的推移造成新的或升级解决工作—或工作更好—可能削弱防火墙的原始防御。测试新的配置，并已存配置的不定期测试，应包括在组织机构的安全程序中。

《endurer注：1。nobody＇s perfect：人无完人
2。result in:导致
3。over time:随着时间的过去》

There are two basic ways to test. The first is to install testing tools on a laptop and conduct point or data path tests, including:
有两种基本测试方法。第一种是在膝上电脑上安装测试工具进行点或数据路径测试，包括： 

• Looking for the illegal or unwanted transmission of data between a system connected to the internal network and a device somewhere on the Internet.
  寻找连接到内部网络的系统与Internet上的设备间合法或不允许的数据传输。
• Checking to see if packets characteristic of known exploits or network fingerprinting activities are allowed to pass.
  检查看看具有已知漏洞特征的数据包或网络指纹活动是否被允许通过。
• Checking to see if packets destined for restricted network segments are blocked/passed as expected.
  检查看看受限网段发送的数据包是否如期被封锁/通过。

《endurer注：1。be destined for:派往...,指定...》

Additional tests should be defined based on the firewall or data path’s expected behavior. This requires a thorough understanding of how traffic is supposed to flow based on one or more firewall configurations. A list of firewall testing tools is available in an ​​April 24 post at Security-Hacks.com​​. 

附加测试应基于防火墙或数据路径预期行为。这要求全面了解基于一个或多个防火墙配置的流程设定如何通行。在Security-Hacks.com上有一个发布于4月24日的防火墙测试工具的清单。

《endurer注：1。expected behavior:期望行为；预期行为
2。thorough understanding:全面了解》

The second way to test is the use of online vulnerability testing sites. This is a great method if you’re simply testing your protection from external threats. One of the best is located at grc.com. You can use this online utility, called ​​Shields Up​​, to check Internet access to all or selected ports on the test machine. Assuming no local software firewall is running on the endpoint device used for testing, this is a good way to validate the configuration of one or all firewalls between a user and the Internet — depending on where you connect the testing device.

第二种测试方法是使用在线缺陷测试网站。如果正简单测试对外部威胁的保护，这是一个很棒的方法。其中最好的一个位于grc.com。你可以使用此在线功能，调用 Shields Up，以检测对待测试机器上的所有划选定端口的Internet访问。假定没有本地软件防火墙软件运行于要测试的终端设备，这对确认用户和Internet间的一个或所有防火墙的是一个好方法，取决于测试设备的连接位置。

It doesn’t matter what approach you take to verify configuration effectiveness. All that really matters is making sure you actually test the expected behavior of your firewalls.  This takes “assumption of defense” off the table.
你采用什么方法确认配置效果无关紧要。重要的是确信你实际测试了防火墙的预期行为。如此得来的“防御设想”不至于纸上谈兵。

《endurer注：1。It doesn't matter:这事儿无关紧要》