My Foot – Your Firewall – Your Downtime — DOS and Failing Open or Closed «

My Foot – Your Firewall – Your Downtime — DOS and Failing Open or Closed

March 8th, 2010

Well in case you were wondering or cared what I’ve been up to… I have spent the past week with a soft cast on my foot. It was a huge pain, but I have to give my doc credit, he got me mobile again, and the past 7 days weren’t so bad.

You’re probably wondering what my foot is doing on a security blog? Well… in my opinion uptime can fall into the “realm” of security. We all know what Denial of Service attacks are. Do you consider downtime a denial of service? Say, what if your core router fails? Do you have a backup plan? Sure redundancy works, but not all companies can afford to have 2 core routers. Do you at least have 4 hour replacement? What if your IDS fails?

What if, for example, your firewall fails open? This happened with sonicwalls about a year ago. Their license server went down, so their failover model was to fail open. Basically all the IDS, AV and anti-spyware failed at the gateway/firewall level allowing everything in (malware, spyware, viruses, spam — if that was your only line of defense — which many SMBs use Sonicwalls as a their main security solution.) What drove me nuts is Sonicwall said it was a glitch in the switch over to a new license server model on the backend and by design it won’t happen again. I want to know what happened and why. How can you give that for an explanation? Anyways…

So I have 2 points here — do you know (for each of your “systems” — AV subscriptions, firewalls, switches, routers, update feeds, etc…) if they fail open or closed?

  • Can you control what happens?
  • Do you get notified when this happens?
  • What is your strategy for when this happens? (take system offline? block attachments? increase logging?)
  • When you create an RFP with a vendor for a product, do you ask these questions?

What is your strategy for when infrastructure software or hardware (AD, Security Feeds, hardware failure) goes down? Do you have priority replacement with your vendors?

  • Has your vendor agreed to contact you when they are having a problem?
  • Many do automatically, but many don’t.
  • Can you get these systems to a stable state in a short period of time?
  • Do you have spare hardware
  • Do you have clean configs ready?

What else should be in these lists?

My downtime strategy for my foot was to have crutches available (I’ve had foot problems before) then I could get to the class I teach, get to the Doctor, and get on with my life… I need to remember for next time to have painkillers on hand, which in this case — @therealjoetesta saved the day and brought some over so I could get out of the house! Kudos to Joe!