[fw-wiz] Real Traffic Testing

From: Gianpiero Porchia (gianpiero.porchia_at_atsweb.it)
Date: 10/24/03

  • Next message: Melson, Paul: "RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC"
    To: "Firewall-Wizards" <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 24 Oct 2003 10:10:30 +0200
    
    

    Hi,

    We are evaluating a new firewall technology. Instead of testing it in a lab,
    we would like to test it in a production environment. The idea should be the
    following:

    - Get the production traffic (for example using TAPs)
    - Send the traffic to the new firewall
    - Look at the firewall behaviour

    The schema should be:

             OUTSIDE
                    |
                    |TAP-1
                    +-----------------------
                    | |
              --------- ----------
              | FW | | FW-test|
              --------- ----------
                | |
                |TAP-2 |
                +-----------------------
                |
                |
             INSIDE

    - Get traffic from OUTSIDE to INSIDE using TAP-1
    - Get traffic from INSIDE to OUTSIDE using TAP-2

    The objectives (ie why we want to use production traffic):
    - Testing FW-test for performance (looking at its resources) in OUR real
    world environment;
    - Testing FW-test for configuration. Looking at log files we want to get the
    identical configuration of FW, so we can switch to FW-test with minimal
    troubles.

    The problems:
    - The traffic is directed to the MAC address of FW, so FW-test will drop it;
    - The traffic passing through the TAPs is function of the configuration of
    FW (but it's a minor problem, since we pretend to have the same
    configuration on FW-test);

    Have you some idea to get the objectives?

    Thanks.

    - gian
    _____

    Ing. Gianpiero Porchia
    Security Engineer

    ATS - Advanced Telecom Systems
    Designing, Testing, Managing Network Quality

    Via Salgari, 17 - 41100 Modena - ITALY
    Tel +39 059 821332
    Fax +39 059 821492
    Cel +39 335 330413
    E-mail: gianpiero.porchia@atsweb.it
    messenger.msn.com: http://messenger.msn.com/, gianpiero.porchia@atsweb.it
    Web site: http://www.atsweb.it

    PGP Key ID: 0xCAE064A4 (pgpkeys.mit.edu:11371)
    Fingerprint: 080D AD88 C18A FCA3 91BC 0DF2 F05F 7489 CAE0 64A4

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Melson, Paul: "RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC"

    Relevant Pages

    • Re: Client End Firewalls
      ... it doesn't matter if the email client can't be tricked when the ... control such things on a Windows 98 box. ... > than getting the client firewall properly configured. ... > additional costs for configuration and configuration-changes? ...
      (Security-Basics)
    • Re: Cant Ping Windows 2003 server after R2 Upgrade..HELP!
      ... UPDATE* -- i've enabled to the windows firewall just to see what can be ... i then adjust the ICMP setting to allow ALL icmp. ... Enable 3 Allow outbound destination unreachable ... ICMP configuration for Local Area Connection 7: ...
      (microsoft.public.win2000.active_directory)
    • Re: R2 in-place upgrade bug ? ..HELP
      ... UPDATE* -- i've enabled to the windows firewall just to see what can be done ... Enable 3 Allow outbound destination unreachable ... Enable 9 Allow inbound router request ... ICMP configuration for Local Area Connection 7: ...
      (microsoft.public.windows.server.active_directory)
    • Re: [kde-linux] KDE on the go
      ... traditional edit the config file type configuration. ... What happens is that there's a timeout on the connection ... Consider the firewall and policies at the location you're going to be ... protocol you're considering. ...
      (KDE)
    • Re: Yes, someone else with Extender Issues
      ... Enable logging for the Windows Firewall and post the contents of the log: ... Service configuration for Domain profile: ... 6:34:12 PM: Verifying user is Administrator. ...
      (microsoft.public.windows.mediacenter)