The venerable firewall is used for several purposes, including network perimeter defense and network segmentation. We all rely on the effectiveness of these devices to prevent the bad guys from getting onto the network and from compromised systems connecting with an attacker's system across the Internet. But when was the last time you conducted a test to see if your firewalls are behaving the way you believe you configured them to behave?
The most conscientious engineer will plan, configure, and then double-check his or her work. However, nobody's perfect. Further, the changing nature of a business network might result in configuration drift. In other words, minor tweaks over time to make new or updated solutions work -- or work better -- might weaken the original defense presented by your firewalls. Testing new configurations, and occasional testing of existing configurations, should be included in any organization's security program.
There are two basic ways to test. The first is to install testing tools on a laptop and conduct point or data path tests, including:
- Looking for the illegal or unwanted transmission of data between a system connected to the internal network and a device somewhere on the Internet.
- Checking to see if packets characteristic of known exploits or network fingerprinting activities are allowed to pass.
- Checking to see if packets destined for restricted network segments are blocked/passed as expected.
Additional tests should be defined based on the firewall or data path's expected behavior. This requires a thorough understanding of how traffic is supposed to flow based on one or more firewall configurations. A list of firewall testing tools is available in an April 24 post at Security-Hacks.com.
The second way to test is the use of online vulnerability testing sites. This is a great method if you're simply testing your protection from external threats. One of the best is located at grc.com. You can use this online utility, called Shields Up, to check Internet access to all or selected ports on the test machine. Assuming no local software firewall is running on the endpoint device used for testing, this is a good way to validate the configuration of one or all firewalls between a user and the Internet -- depending on where you connect the testing device.
It doesn't matter what approach you take to verify configuration effectiveness. All that really matters is making sure you actually test the expected behavior of your firewalls. This takes "assumption of defense" off the table.