Firewall testing can be a hassle, particularly in environments with multiple devices possessing multiple interfaces.
Industry consultants, however, recommend that IT managers step up to this ounce of prevention. Wayne Haber, director of architecture at SecureWorks Inc., a managed security services provider, advised testing firewalls at least once per month and after any major change. Jonathan Glass, senior systems administrator at SecureWorks, also recommended adding firewall testing to the firewall change management process.
A battery of tests may be in order to make sure firewalls serve their purpose. This testing can prove time-consuming and labor-intensive, but a number of automated tools — both open-source and commercial — aim to ease the burden.
Here's the run down on tests and the tools that support them.
Firewall rule sets can get messy in complex deployments. Over time, rule sets may fall out of step with security policy. Unused rules may proliferate.
A review of firewall rule sets addresses those and other issues. This check may turn up some low-hanging fruit, noted David Lawson, director of risk management at Acumen Solutions Inc., a business and technology consulting firm. He cited the example of an administrator who, when troubleshooting a newly installed application, puts in a rule that accepts all traffic and leaves it there.
"A lot of times we look at firewalls and we find some of those [firewall-negating rules] left in but disabled or left in and forgotten about," Lawson said.
Ron Ritchey, a principal with strategy and technology consultant Booz Allen Hamilton, said rule set analysis can also catch inconsistencies among firewalls. For example, an organization's filtering policy may be to block Windows networking ports at the perimeter. In a zone network architecture, administrators may leave TCP ports 135, 139 and 445, as well as UDP port 138, open on the local firewall, thinking the perimeter device has it covered. A reversal of the perimeter policy, however, would introduce vulnerabilities downstream.
Ritchey said the Windows networking case serves as "an example of something that people often block at the perimeter of their network and then do not enforce inside the network."
Ritchey also stated that no one sets out to develop insecure rule sets, but they may evolve that way over time.
As for tools that automate analysis, Lawson said his company uses tools written and developed in-house, as well as products developed by others.
Commercial products that may be used for firewall analysis and auditing include tools such as AlgoSec's Firewall Analyzer , RedSeal Systems' Security Risk Manager and Skybox Security's Firewall Compliance Auditor .
IT managers should also consider the security of the firewall itself, consultants say.
Haber said vulnerability scanners such as Tenable Network Security's Nessus 3 can handle that job, as can earlier open-source versions of Nessus. SecureWorks also cited IBM Internet Scanner (formerly ISS Internet Scanner) and eEye Digital Security's Retina scanner as options.
The task here is to determine whether a firewall has a weak password and to check for known vulnerabilities, Glass said.
A number of open-source offerings also contribute to firewall testing. Network Mapper, or Nmap , lets administrators scan through a firewall in different ways, identifying open ports, Haber noted. Glass also cited hping , a TCP/IP packet assembler and analyzer that may be used in firewall testing and port scanning. (For more, see also the IT Security Vulnerability Scanning Resource Center .)
Glass called hping "a very capable tool" that can be used in a range of network-troubleshooting roles. It also offers the ability to craft raw packets that "could allow you to try spoofing-type attacks, especially if the firewall is strictly a port-filter and doesn't pay any attention to session management," Glass added.
Another test involves determine what, if anything, can make it across the firewall. An IDS (intrusion-detection system) can serve as an alarm mechanism in a test. In addition, a packet sniffer can break apart packets "to see what's getting through," Lawson noted.
Wireshark (formerly Ethereal) provides one example. SecureWorks executives view Wireshark as useful for capturing and reviewing test packets.
Darknet , Network Telescope , and Internet Motion Sensor aren't traditional firewall-testing tools but may be used in that capacity. Glass said he's seen a Darknet, for example, used as an internal IDS and to verify firewall policy.
The Team Cymru Darknet Project Web site describes a Darknet as "a portion of routed, allocated IP space in which no active services or servers reside," apart from "packet vacuum" servers that collect the packets that flow into a Darknet.
"These boxes are essentially sniffers that record all the packets they see and write the relevant bits to a log file," Glass explained. "By analyzing/monitoring the log file for external IPs, you can verify that the firewall policy is blocking, or is not blocking, traffic you expect to have blocked."
Log analyzers provide another check on the firewall. Those tools aggregate log data from multiple firewalls and let organizations check for unusual activity, Haber said.
Examples in this tool class include Logsurfer , Webfwlog , and the WallFire project's wflogs . SecureWorks also cites Cisco Systems Inc's Monitoring, Analysis and Response System (MARS) as a security incident manager that keeps track of firewall permits and denies.
Firewall analysis can help IT managers optimize rule sets. Unused rules can be removed, for instance. A reduction in the total number of rules can ease the firewall's workload. The practice of moving up highly used rules, while maintaining the organization's security and risk posture, also increases performance, Lawson explained.
In addition to rule set analysis, performance tools such as Iperf can also play a role in firewall testing. Iperf is used to measure maximum TCP bandwidth. Testing the throughput of a firewall could be valuable, especially when trying to validate vendor claims, SecureWorks noted.
In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more
Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more
For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more
With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more