Trilight Zone

[tricore]

A lot of network monitoring is home-grown in scripts written by administrators, and the backbone of such monitoring is our old friend Ping.

Ping was written for diagnostic purposes, and is a good and cheap choice for testing, on the fly, whether a system is alive. It's far from perfect; in order to prevent certain attacks (such as the dreaded Ping of Death) some firewalls and system configurations block the ICMP protocol on which Ping is based altogether.

But a positive result is a sign that the system is alive, right? Probably. Is that what you need to know? Probably not. You don't just need to know that the system you're pinging is alive, you need to know that the services on it are alive.

Specifically for security devices, it's not hard to imagine some examples that script easily and that can test functionality. Test an anti-virus gateway by copying a clean file and a copy of the EICAR virus test through it. This won't tell you if the anti-virus engine is up to date, but it will tell you if it's basically functional.

Firewalls and IDS/IPS lend themselves to testing by running brief attacks from the outside. You can maintain a cheap hosted account for this purpose. Similarly, you can test if a URL filter is alive by retrieving a specific URL that you have blacklisted, or something actually offensive if you wish.

We like to roll up the results of such tests into an e-mail sent to a special address, and put "FAILURE" in the subject line if it's merited. Let the computers do all the work.