Firewall testing is the process of ensuring that a firewall does its job correctly. Firewalls can either be hardware, software or both and while you’re hooked up to the internet, there could be multiple ports open on your network computer.
When these ports are left open, cyber attackers could potentially attempt to insert a bot onto your machine, making it a zombie or part of a botnet.
There are multiple online sources which can test your firewall for you, however skepticism is advised when using them and your trust should not be put into an online testing site, especially if they’re trying to sell you their product.
In most instances, when your firewall is activated, testing is required to ensure that it’s configured properly and serves the intended purpose.
So what exactly is a firewall?
Firewalls are devices which provide security for a network through monitoring both the incoming and outgoing network traffic and determining whether specific packets should be allowed or blocked, primarily through a defined set of security rules.
For a long time now, firewalls have been considered to be the first line of protection when it comes to network security as they establish barriers between the trustworthiness of an internal network and outside networks.
As previously mentioned, firewalls can be hardware, software or a combination of both.
Software based firewalls
Software firewalls are installed on individual PCs on a network. In contrast to physical firewalls, software firewalls can easily distinguish between apps on a computer. As a result, they might allow data to one programme while blocking data to another. Software firewalls can filter incoming data as well as remote responses to incoming queries. The biggest downside of software firewalls for organisations is that they need installation, updating, and management on each individual machine.
Hardware firewalls function similarly to routers, but with additional functionality. While many routers now include a built-in firewall, genuine hardware firewalls offer greater features. They are located between the router and the modem. They serve as a barrier between the internal network and the Internet, preventing external security risks from infiltrating. Malicious software includes worms, viruses, trojan horses, and spyware (malware). By filtering data packets, hardware firewalls safeguard the whole network.
Firewall penetration testing
When it comes to testing a firewall from a pentesting perspective, there are 13 steps which should be followed. These steps range from location of the firewall and using traceroute, to identifying the architecture of a firewall and testing it’s policy.
How to test a firewall
The act of identifying, evaluating, and breaking a specific firewall with the intention of gaining access to a system’s internal network is known as firewall penetration testing. Firewall testing is considered to be of importance when it comes to network testing since firewalls act as the first line of defence against outside attacks.
Phase 1 – Firewall discovery
Phase one of a firewall penetration test involves actually locating the firewall within the network. This can be done through the use of any packet sniffing tool (such as Wireshark or Nessus). The tester then sniffs for packets which contain UDP, TCP or ICMP in them.
Hping is a superior method to identifying any unusual activity, depending on what’s needed for the scan. Through repetition of scans, the list of authorised services within a firewall can be mapped.
Phase 2 – Performing a Traceroute
To determine the network range, a pentester should run a command known as tracert (also commonly used for finding TCP/IP issues) for the firewall that was discovered earlier. This phase also provides information on the route packets between networks, as well as identify all network devices involved in the process of establishing connections.
Specific information about traffic-filtering devices and protocols may also be supplied.
Phase 3 – Scanning for open ports
The third stage of pen testing firewalls is where a user performs a port scan. Nmap is the most often used tool since it enables for custom scans.
During this phase, you will identify not only open ports available on a networks firewall, but also matching services that run using these open ports. Using Nmap, one may design a scan that contains scan type options and scan time among other options.
Phase 4 – Banner Grabbing
When you do banner grabbing of a firewall, you will learn about its version. This data may then be used to find available vulnerabilities which might help penetrate the firewall.
The importance in assessing any firewall is understated, crafting and scanning it with specific packets is a critical step with the goal being to evoke various firewall replies and discover the type of firewall you are attempting to circumvent.
In order to get as much information as possible, a penetration tester needs to run multiple distinct iterations of a scan using Hping or Nmap. Each scan should use different flags and protocols to attempt creation of a connection (TCP, UDP). Experimenting with various protocols and connection parameters will also get the most interesting data from the target firewall.
Phase 5 – Identifying Firewall Architecture
Sending packets to previously identified firewall ports will provide a tester with a comprehensive list of ports and their statuses. The tester should then have the ability to detect the reaction of the firewall and aid in mapping out the open ports by eliciting replies from the firewall on specific ports. Furthermore, answers from the firewall will give the tester the information needed to know whether the connection was denied or blocked.
Hping, Hping2, or Nmap are tools which can be used to perform this operation. Following the commencement of the scan, a targeted firewall will return specific packets explaining the action it took in response to the scan. The port is considered “Open” if the firewall answers with a SYN/ACK message.
Phase 6 – Testing Firewall Security Policies
There are two methods for testing firewall rules. To detect possible flaws, the tester will compare information gathered from the firewall policy configuration and compare it to the configuration which was expected, or the tester may complete actions on the target firewall to corroborate the configuration which is expected.
Phase 7 – Redirection of ports
Port redirection testing is an integral step which can lead to further penetration of a network, if a port that a tester is looking for is not accessible then other techniques can be employed to bypass the limitation.
If a pen tester is able to breach the target system successfully and has the desire to bypass the firewall then the tester can install specific software to listen to certain port numbers, this is known as port redirection.
Phase 8 – External + Internal Testing
Internal penetration tests are similar to vulnerability assessments however they go far beyond the simple scope of a scan in the sense that they attempt to exploit vulnerabilities, usually leading to determining genuinely accessible information in a network.
To cover all bases, the tester will send packets from outside of the targeted network in order to assess the received packet information from within the target network itself.
Phase 13 – Identify Vulnerabilities in the firewall
Checking a firewall for vulnerabilities is as simple as ensuring that there are no misconfigurations, this is one of the most common ways that an attacker can gain access to your network. Through proper configuration of a firewall, you can ensure that there’s less risk of an attacker breaching the network.
In some instances, printers and file-sharing servers are kept running on specific open ports, this can also lead to an attacker bypassing the firewall and the only method to assure complete network security is to disable any services that may be deemed unnecessary.
Tools to perform a firewall penetration test
Firewall testing guarantees that your network is protected by your hardware firewall. Firewall testing software can be either proprietary or brand-specific. Because these tools are offered by vendors, customers must contact their firewall provider if they require them. The firewall testing checklists for these proprietary systems are focused on efficacy and look at specific elements such as antimalware, application identification, and intrusion prevention. Firewall testing utilities, on the other hand, are freely available online. Here are several examples:
Nmap (Network Mapper) is a free open-source network discovery and security auditing tool that has earned the trust of many system and network administrators over the years. Nmap users have found it useful for tasks such as network inventory, service update management, and monitoring service uptime. Nmap uses raw IP packets to identify network hosts, the applications they deliver, their operating systems, active firewalls, and a range of other details. Nmap may be used on both single hosts and large networks.
One of the best open-source security scanning applications, Nessus, not only inspects a host’s firewall but also finds known application-based vulnerabilities. Users prefer Nessus for scheduled or periodic scans, which may be done weekly or monthly. The utility automatically updates its plugins, providing users with real-time information on emerging risks and vulnerabilities.
Wireshark, the world’s most popular network protocol analyzer, enables you to see what’s happening in your network at the atomic level. Many for-profit and non-profit organisations, as well as government bodies and educational institutions, regard utility as a benchmark. Among its features are deep protocol inspection, live capture and offline analysis, multi-platform compatibility, broad VoIP analysis, live data readability across any network, and decryption support for many protocols.
Netcat is a free networking programme that reads and writes data across network connections using the TCP/IP protocol. Other apps and scripts can directly use this trustworthy backend tool. Netcat supports outbound and incoming connections to and from any port, tunnelling mode, built-in port-scanning capabilities with a randomizer, buffered send-mode, hexdump of sent and received data, and optional RFC854 telnet codes parser and responder.
Connie has been working within the cyber security industry for almost 10 years now, specialising in penetration testing or more specifically web application pen testing. She believes that everyone online should have access to this information and strives to provide people with the knowledge they need to begin within the industry and for others to stay safe online.