-
Notifications
You must be signed in to change notification settings - Fork 0
Testing and Verification
This page covers testing procedures to verify your Soft Data Diode deployment is properly hardened. For basic setup, see the main README.
The hardening folder in this repository includes scripts to test the ability of your infrastructure to repel attempts to backpropagate into the secure network.
The ddreflect.py is the simplest test. Before you have any mitigations in place, you may find that you are able to use it to return traffic. As you implement mitigations, verify that you can see return traffic, and then put one mitigation in place. Verify that it blocks the return path before removing it and starting the process again for the next mitigation.
The ddredirect.py allows you to also specify the return UDP port, and can test for the precense of more sophisticated scenarios where an attacker is able to redirect to another port to attempt to exploit other services on the sender than just ones that live on the sending port.
Once you have implemented iptables rules as described in Security Model and Hardening, you can verify they are working correctly:
- Run the test script from the hardening folder
- Watch iptables counters:
iptables -v -n -L - The counters should increase on your blocking rules if return traffic is being caught
- Use tcpdump or Wireshark to see if anything from the receiver is reaching the sender side
Important Note: tcpdump/libpcap sees packets before they hit the iptables firewall, so you may see traffic in tcpdump even if it's being dropped. Always verify using iptables counters.
Test each mitigation in isolation:
- Verify you can see return traffic without any mitigations
- Implement one mitigation
- Verify it blocks the return path
- Remove the mitigation
- Repeat for each mitigation
- Once all mitigations are verified individually, implement them all for defense in depth
Once you have verified each mitigation in isolation, implement all mitigations simultaneously. This provides defense in depth against backpropagation of traffic from the receiver to the sender.
Set up monitoring for these security events:
-
BACKPROPAGATION DROP:log entries from iptables - Blocked UDP packets from cloud server IPs
- Unexpected ICMP responses to sender
These events represent clear attack attempts and should trigger security alerts.
- Return to the main README for basic usage