Firewalls: Jumpstart for Network and Systems Administrators

Appendix J: Avoiding Disruption of Service to Maintain Availability

A denial-of-service (DoS) attack is one that is intended to compromise the availability of a computing resource. Common DoS attacks include ping floods and mail bombs both intended to consume disproportionate amounts of resources, starving legitimate processes. Other attacks are targeted at bugs in software and are intended to crash the system. The infamous ping of death and teardrop attacks are examples of these.

DoS attacks can be leveraged to subvert systems (thus compromising more than availability) and disable them. When discussing the relevance of DoS attacks to a security system, the question of whether the system is fail-open arises. A fail-open system ceases to provide protection when it is disabled by a DoS attack. A fail-closed system, on the other hand, leaves the network protected when it is forcibly disabled.

The terms fail-open and fail-closed are most often heard within the context of firewalls, which are access-control devices for networks, as previously explained in this book. A fail-open firewall stops controlling access to the network when it crashes but leaves the network available. An attacker that can crash a fail-open firewall can bypass it entirely. Good firewalls are designed to fail-close, leaving the network completely inaccessible (and thus protected) if it crashes.

Network ID systems (IDSs) are passive; they do not control the network or maintain its connectivity in any way. As such, a network IDS is inherently fail-open. If an attacker can crash the IDS or starve it of resources, she or he can attack the rest...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Network Firewalls
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.