Network firewall test methods and apparatus
First Claim
1. A firewall test system, comprising:
- a first test device located on a first side of said firewall, the first test device including;
i) a session signal generator for transmitting a communications session initiation signal using an Internet Protocol (IP) address corresponding to said signal source to establish a communications session to be conducted through said firewall; and
ii) a probe signal generator for generating test signals at a range of ports in the first side of said firewall through which media signals may be transmitted when said ports are open, said test signals including said IP address;
a second test device located on a second side of said firewall, the second test device including;
a traffic analyzer for monitoring the second side of said firewall to detect any transmitted test signals that pass through said firewall; and
an analysis module for identifying any open ports that are not associated with an established communications session, which passed at least one of said transmitted test signals, as erroneously open ports.
2 Assignments
0 Petitions
Accused Products
Abstract
A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall.
94 Citations
20 Claims
-
1. A firewall test system, comprising:
-
a first test device located on a first side of said firewall, the first test device including; i) a session signal generator for transmitting a communications session initiation signal using an Internet Protocol (IP) address corresponding to said signal source to establish a communications session to be conducted through said firewall; and ii) a probe signal generator for generating test signals at a range of ports in the first side of said firewall through which media signals may be transmitted when said ports are open, said test signals including said IP address; a second test device located on a second side of said firewall, the second test device including; a traffic analyzer for monitoring the second side of said firewall to detect any transmitted test signals that pass through said firewall; and an analysis module for identifying any open ports that are not associated with an established communications session, which passed at least one of said transmitted test signals, as erroneously open ports. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
transmitting a communication session initiation signal to establish a communication session through a firewall for passing communications between a device on a first side of the firewall and a device on a second side of the firewall; transmitting test signals, from the first side of the firewall destined to the second side of the firewall, after initiation of the communication session and prior to termination of the communication session, to a range of ports; monitoring the second side of the firewall to detect the test signals that pass through the firewall; and identifying, based on the monitoring, an open port that is not associated with the communication session, which passed one of the transmitted test signals, as an erroneously open port. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a firewall to receive a communication session initiation signal to establish a communication session through the firewall for passing communications between a device on a first side of the firewall and a device on a second side of the firewall; a receiver to monitor the second side of the firewall to receive test signals that pass through the firewall, wherein the test signals were transmitted to a range of ports, after initiation of the communication session and prior to termination of the communication session, from the first side of the firewall to the second side of the firewall; a processor to identify, based on the monitoring by the receiver, an open port that is not associated with the communication session, which passed one of the transmitted test signals, as an erroneously open port. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification