Test your firewalls for behavior problems

The venerable firewall is used for several purposes, including network perimeter defense and network segmentation. We all rely on the effectiveness of these devices to prevent the bad guys from getting onto the network and from compromised systems connecting with an attacker's system across the Internet. But when was the last time you conducted a test to see if your firewalls are behaving the way you believe you configured them to behave? 

The most conscientious engineer will plan, configure, and then double-check his or her work. However, nobody's perfect. Further, the changing nature of a business network might result in configuration drift. In other words, minor tweaks over time to make new or updated solutions work -- or work better -- might weaken the original defense presented by your firewalls. Testing new configurations, and occasional testing of existing configurations, should be included in any organization's security program.

There are two basic ways to test. The first is to install testing tools on a laptop and conduct point or data path tests, including:

  • Looking for the illegal or unwanted transmission of data between a system connected to the internal network and a device somewhere on the Internet.
  • Checking to see if packets characteristic of known exploits or network fingerprinting activities are allowed to pass.
  • Checking to see if packets destined for restricted network segments are blocked/passed as expected.

Additional tests should be defined based on the firewall or data path's expected behavior. This requires a thorough understanding of how traffic is supposed to flow based on one or more firewall configurations. A list of firewall testing tools is available in an April 24 post at

The second way to test is the use of online vulnerability testing sites. This is a great method if you're simply testing your protection from external threats. One of the best is located at You can use this online utility, called Shields Up, to check Internet access to all or selected ports on the test machine. Assuming no local software firewall is running on the endpoint device used for testing, this is a good way to validate the configuration of one or all firewalls between a user and the Internet -- depending on where you connect the testing device.

It doesn't matter what approach you take to verify configuration effectiveness. All that really matters is making sure you actually test the expected behavior of your firewalls.  This takes "assumption of defense" off the table.


Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...


Opening and closing ports in either direction is the basic function of a firewall. Port 80 is just as dangerous as port TCP/514. What IS required is a Statefull Packet Inspection and if you want to go further then you need an Application Layer Gateway to filter stuff passed through Port 80 and Ports 20-21 TCP/UDP that you do not want. - Most New Good ADSL Modems will offer SPI but do your research and choose well. If its cheap there is a reason for this. One of the first warning of what modems, indeed any hardware is the companies public release of BETA firmware. Unless you are a tester of hardware devices the use of a BETA firmware in a production environment is just suicidal and there is no logic nor reason why any company should release BETA firmware to the public. If a hardware company does do this ? this is a very very good reason not to buy their hardware. If a company needs to use the community to further test its firmware for them then you should not be paying them for the privilege of being a test subject. Other firewalls just look solely at application desire to get out or in. With a click you could open ALL ports to the application requesting access ? and this type of firewall is perhaps the easiest to use but offers the least protection. If your firewall put a message on the screen the SVCHOST.EXE needs complete access then would you know what this process does and would you permit it? To correctly administer a home PC with one of the most popular firewalls set at its highest level you DO need to know something about TCP and UDP Ports and you should download a copy of Internet Port numbers from the Internet. One of the easiest can be found at and Professional should have a copy of You also need to have an understanding of every process that is running in your task manager does and do you grant it access to the internet. It hard, very hard. A SPI enabled hardware device, by and large, needs no special attention, however if you do have knowledge about the TCP/IP Protocols you can make deliberate rules for the SPI handling of Port availability. As I said above to be really safe you need to be able to filter Port 80 and Ports 20-21 traffic in both directions with an ALG module. These modules found in up market Hardware Network Device Protection can filter out any Active X, or VB Script, or Flash etc from your HTTP/FTP traffic. If nothing else makes sense, this is even more reason to learn about the internet if security is of a concern if you have sensitive data on any PC. In the year 2006 over 200,000 people lost their identity, including credit card numbers, bank accounts etc in the United States because of Internet Fraud Hacking. Internet Fraud Hacking is becoming as organised as organised crime and telling yourself it does not or will not happen to me is like taking 1,000 tickets in he lottery. Time is well up on the vendors of software firewalls to start providing tutorials of how to protect you when you purchase their protection and its well over due. If nothing still makes sense then just follow the principal that security starts at the plug in the wall and ends at the desktop ? not the other way around. Its time to enter the Internet security field and start to learn. 1 Tip. If you are a home user of MS products and DO NOT use MSN, Internet chat or IRC you can safely block the following ports TCP/UDP 137-139,TCP/UDP 322,349,445,507,522,TCP/514, TCP/UDP 568-569,593,1024-65535. Leave Ports 137-139 alone if you have a small workgroup network

Editor's Picks