Firewalls are the gatekeepers to your network. Testing your firewall to ensure it performs correctly is vital to network security.
Firewall penetration testing emulates attacks that real network intruders employ.
Interviewing the systems personnel who design and implement changes to firewall policies can also be enlightening. Department reorganizations may result in significant differences between the intent of a policy and its implementation.
Configuration
Using various tools and techniques, you can examine your firewall’s configuration to verify that it is aligned with your expectations or intended structure. Performing this hands-on verification allows you to identify gaps or deviations in your firewall’s security capabilities.
Firewall rules are one of the most powerful security measures you can put in place to control network traffic. When properly configured, firewall rules can help prevent unwanted intrusions and malware attacks. Limiting the number of rules that allow untrusted traffic in and out of your network is essential for maximum security. To do this, make your rules as specific to the source and destination IP addresses and ports as possible. Applying inbound and outbound access control lists (ACLs) to every interface or subinterface on your firewall is also a good idea.
Testing your firewall from the outside is a great way to see how well it defends against common threats such as file sharing, port scanning, and all-ports-and-services scans. Many free tools can perform these tests. It’s a good idea to run these tests in Tap or Inline mode, with the action set to Log Only, so the firewall analyzes the traffic without dropping it.
Scan
A firewall is a critical piece of the security puzzle, but it cannot be relied on to protect the networks behind it fully. In addition to ensuring that the firewall configuration is as expected, it’s also important to periodically check for vulnerabilities to ensure that it still protects the infrastructure from malicious activity.
One way to evaluate a firewall’s effectiveness is to use tools that can scan for vulnerabilities. This is commonly known as firewall penetration testing or simply “firewall testing.” This involves using techniques based on attacks real network intruders would use to try and breach the target host firewall.
Some standard techniques used to test a firewall include banner grabbing, port scanning, and pinging. Banner grabbing is a technique that sends custom-made connection requests to the firewall and looks for specific responses that indicate what version of the firewall it’s running on. This information can then be utilized to find compromising exploits that may exist.
Port scanning is a popular technique that can help identify open ports and vulnerabilities and can be done with tools. When running these tools, limiting the number of connections at a time is essential to reduce the chances of the firewall becoming overwhelmed and dropping links. This can cause the scanner to miss open ports and vulnerabilities.
Logging
One of the most essential functions of adequate firewall protection is the ability to detect attacks. A firewall must proactively analyze and filter each packet of data that crosses the network and monitor its status to detect changes or anomalies. Firewall testing should determine whether the firewall and other machines within the target network can detect attacks launched from external hosts, even if the attacks are unsuccessful.
A recurring issue is the failure of IT personnel to properly maintain or review firewall policies, resulting in the loss of valuable security protections. This problem is often exacerbated by the fact that firewall systems are managed in the context of other IT systems, and department reorganizations can result in different people being responsible for the same firewall system at various times.
To identify potential weaknesses in the configuration of a firewall, security personnel should perform penetration testing from outside the network. These tests should use techniques based on the actual attacks that real network intruders launch. The testing methodology typically proceeds in four distinct attack layers. Layer 1 consists of non-obtrusive, proximate information gathering, while layers 2 and 3 entail intrusive attempts to penetrate the firewall and target hosts. During this test phase, it’s also essential to determine whether the firewall allows scanning of the host network by examining the results of crafted ping requests. This can be accomplished using a port scanner.
Performance
Firewall rules dictate how traffic is handled. Some rules enable logging, alerting, and other security features, while others block unwanted traffic. Periodically “spring-cleaning” your firewall policies to eliminate conflicting or duplicate rules is good practice.
Whether your network is small or large, testing the performance of your firewall is essential. Testing helps determine your firewall’s maximum capacity, reliability, and security. It also ensures that you’re getting the best value from your investment.
There are several methods to test the performance of your firewall. One way is to rely on an apples-to-apples evaluation of vendor-supplied firewall products performed by an independent company or organization. However, this approach can be impacted by the near-universal tendency of vendors to provide only positive information about their products.
Another method is to use a penetration tester to identify potential gaps in the firewall. A penetration tester compares hard copies of extracted firewall policy configurations with the expected format to find potential holes.
However, using a penetration tester can be expensive, time-consuming, and inconvenient. Another option is to use a performance testing solution to test the performance of your firewall under different test conditions. These tests provide a clear and conclusive assessment of your firewall’s performance under real-world conditions. This allows you to make clear and accurate product decisions based on incontrovertible evidence.
