5 Firewall Tests and Supporting Tools

Updated: August 20, 2012

Firewall testing can be a hassle, particularly in environments with multiple devices possessing multiple interfaces.

Industry consultants, however, recommend that IT managers step up to this ounce of prevention. Wayne Haber, director of architecture at SecureWorks Inc., a managed security services provider, advised testing firewalls at least once per month and after any major change. Jonathan Glass, senior systems administrator at SecureWorks, also recommended adding firewall testing to the firewall change management process.

A battery of tests may be in order to make sure firewalls serve their purpose. This testing can prove time-consuming and labor-intensive, but a number of automated tools — both open-source and commercial — aim to ease the burden.

Here's the run down on tests and the tools that support them.

Rule Set Analysis

Firewall rule sets can get messy in complex deployments. Over time, rule sets may fall out of step with security policy. Unused rules may proliferate.

A review of firewall rule sets addresses those and other issues. This check may turn up some low-hanging fruit, noted David Lawson, director of risk management at Acumen Solutions Inc., a business and technology consulting firm. He cited the example of an administrator who, when troubleshooting a newly installed application, puts in a rule that accepts all traffic and leaves it there.

"A lot of times we look at firewalls and we find some of those [firewall-negating rules] left in but disabled or left in and forgotten about," Lawson said.

Ron Ritchey, a principal with strategy and technology consultant Booz Allen Hamilton, said rule set analysis can also catch inconsistencies among firewalls. For example, an organization's filtering policy may be to block Windows networking ports at the perimeter. In a zone network architecture, administrators may leave TCP ports 135, 139 and 445, as well as UDP port 138, open on the local firewall, thinking the perimeter device has it covered. A reversal of the perimeter policy, however, would introduce vulnerabilities downstream.

Ritchey said the Windows networking case serves as "an example of something that people often block at the perimeter of their network and then do not enforce inside the network."

Ritchey also stated that no one sets out to develop insecure rule sets, but they may evolve that way over time.

As for tools that automate analysis, Lawson said his company uses tools written and developed in-house, as well as products developed by others.

Commercial products that may be used for firewall analysis and auditing include tools such as AlgoSec's Firewall Analyzer , RedSeal Systems' Security Risk Manager and Skybox Security's Firewall Compliance Auditor .

Vulnerability Scan

IT managers should also consider the security of the firewall itself, consultants say.

Haber said vulnerability scanners such as Tenable Network Security's Nessus 3 can handle that job, as can earlier open-source versions of Nessus. SecureWorks also cited IBM Internet Scanner (formerly ISS Internet Scanner) and eEye Digital Security's Retina scanner as options.

The task here is to determine whether a firewall has a weak password and to check for known vulnerabilities, Glass said.

A number of open-source offerings also contribute to firewall testing. Network Mapper, or Nmap , lets administrators scan through a firewall in different ways, identifying open ports, Haber noted. Glass also cited hping , a TCP/IP packet assembler and analyzer that may be used in firewall testing and port scanning. (For more, see also the IT Security Vulnerability Scanning Resource Center .)

Glass called hping "a very capable tool" that can be used in a range of network-troubleshooting roles. It also offers the ability to craft raw packets that "could allow you to try spoofing-type attacks, especially if the firewall is strictly a port-filter and doesn't pay any attention to session management," Glass added.

Packet Sniffing

Another test involves determine what, if anything, can make it across the firewall. An IDS (intrusion-detection system) can serve as an alarm mechanism in a test. In addition, a packet sniffer can break apart packets "to see what's getting through," Lawson noted.

Wireshark (formerly Ethereal) provides one example. SecureWorks executives view Wireshark as useful for capturing and reviewing test packets.

Darknet , Network Telescope , and Internet Motion Sensor aren't traditional firewall-testing tools but may be used in that capacity. Glass said he's seen a Darknet, for example, used as an internal IDS and to verify firewall policy.

The Team Cymru Darknet Project Web site describes a Darknet as "a portion of routed, allocated IP space in which no active services or servers reside," apart from "packet vacuum" servers that collect the packets that flow into a Darknet.

"These boxes are essentially sniffers that record all the packets they see and write the relevant bits to a log file," Glass explained. "By analyzing/monitoring the log file for external IPs, you can verify that the firewall policy is blocking, or is not blocking, traffic you expect to have blocked."

Log Analysis

Log analyzers provide another check on the firewall. Those tools aggregate log data from multiple firewalls and let organizations check for unusual activity, Haber said.

Examples in this tool class include Logsurfer , Webfwlog , and the WallFire project's wflogs . SecureWorks also cites Cisco Systems Inc's Monitoring, Analysis and Response System (MARS) as a security incident manager that keeps track of firewall permits and denies.

Performance Testing

Firewall analysis can help IT managers optimize rule sets. Unused rules can be removed, for instance. A reduction in the total number of rules can ease the firewall's workload. The practice of moving up highly used rules, while maintaining the organization's security and risk posture, also increases performance, Lawson explained.

In addition to rule set analysis, performance tools such as Iperf can also play a role in firewall testing. Iperf is used to measure maximum TCP bandwidth. Testing the throughput of a firewall could be valuable, especially when trying to validate vendor claims, SecureWorks noted.

Featured Research