kras99 - stock.adobe.com
How to conduct firewall testing and analyze test results
A misconfigured firewall can wreak havoc throughout your organization. Firewall testing to ensure rules are written correctly and that any changes are validated is critical.
There's nothing quite so humbling as blocking your own network communications. Misconfigured firewall rules can stop legitimate traffic between network segments or the internal network and the internet. That's why firewall testing is so important.
Administrators often isolate servers on specific subnets, relying on routers to direct traffic to them correctly. The packet filters and firewall rules on these devices can get complex quickly, leading to mistakes that affect users and services.
Problems include the following:
- Workstations cannot connect to servers for user tasks such as email, file access or printing.
- Workstations cannot use services like name resolution or web access.
- Servers cannot replicate data.
- Admin workstations cannot connect to servers using SSH for remote management.
- Automation tools fail to reach specific devices.
What is a firewall?
Firewalls are network security devices that use preset rules to permit or deny network traffic. You must identify the types of services on one side of the firewall and recognize the clients on the other side that might need access. You can control the flow of traffic inbound and outbound through the interfaces in the router or server firewall. These configurations should match the legitimate types of traffic expected and block any other traffic.
Firewalls are often placed in the following locations:
- Network firewalls control the flow of traffic in and out of network segments, helping to isolate traffic.
- Host firewalls control the flow of traffic in and out of individual devices. Each workstation and server probably has its own firewall.
What is firewall testing?
Firewall testing is a crucial step of configuration management and should be integrated into any changes to firewall settings. It's important to ensure inadvertent firewall changes aren't made while adding or removing services or devices. Editing firewall rules must be done carefully.
Remember the following general tips:
- Firewall rules are processed in order.
- The first rule that matches a given communication is applied, and additional rules are ignored.
- Most firewalls include a default "deny all" rule that blocks all traffic.
- The default "deny all" rule applies last.
Firewall rule lists can become overly complex. It's important to pay attention to the order in which the rules are listed to make sure you know what traffic the firewall blocks. To display the rules from the command line on Linux and Windows, use the following methods:
- Red Hat and similar Linux distributions: sudo firewall-cmd --list-all.
- Debian and similar Linux distributions: sudo ufw status verbose.
- Windows: Get-NetFirewallRule.
Specialized security tools can also confirm and test firewall configurations to ensure network connections work as designed.
How to test firewalls
Organizations can choose among a number of tools to validate their firewall configurations. Use a combination of these approaches for the most comprehensive tests. Begin with simple connectivity before integrating more complex utilities.
The following list starts with the simpler tools:
- Manual connectivity test. Manually check connections between devices using protocols you configured the firewall to allow. For example, can you successfully connect to a web server behind the firewall using HTTP and HTTPS or manage a server using SSH?
- Packet trace. Use the traceroute command -- tracert on Windows -- to check the path packets take through your network. Note that firewalls must pass Internet Control Message Protocol packets for this to succeed.
- Port scans. Check the firewall's configuration using port scanning utilities. Does it match your expected results? Tools like Nmap and Angry IP Scanner are good places to start.
- Penetration testing tools. Many pen testing suites check firewall configurations to verify settings.
Those who prefer a more formal testing structure should consider the following approaches to verify firewall configurations:
- Functionality test. Do your firewalls accomplish basic tasks, including packet filtering, logging and alerting, if available?
- Performance test. Do your firewalls support the anticipated levels of network traffic? Use network testing tools to simulate high utilization.
- Compliance test. Does your firewall configuration satisfy industry-standard compliance requirements? Check guidelines such as NIST Special Publication 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy.
What do you do with the test results?
Your tests are now complete, and you have notes from the results. Now what?
Return to your requirements list. What protocols should be allowed? Remember, everything you want to pass through the firewall should be explicitly listed, and the default "deny all" rule blocks all others.
Does the firewall permit the protocols you need it to? If it doesn't, confirm "allow" rules exist for any blocked protocols you want the firewall to pass. Next, check the order of the rules to ensure a rule that blocks the protocol isn't applied before the rule that allows it.
Two checks usually address most firewall configuration problems:
- Does a rule explicitly permitting the protocol exist?
- Does a rule blocking the protocol process before the explicit permit rule?
Once you resolve the test results, document the firewall's configuration. Consider backing up the firewall rules at the same time so you can migrate them to another device or restore them later, if necessary.
Finally, establish a test plan to confirm the firewall functions as expected. You can also use this test as part of network troubleshooting in the future if you're ever concerned the firewall is blocking traffic.
Additional testing and configuration practices
You can integrate a few other good practices into your firewall testing and troubleshooting methods. These approaches include careful control of changes and more efficient testing methods.
First, use the principle of least privilege to restrict administrative access to firewall settings. This helps establish that only those authorized can update firewall rules.
Next, integrate firewall updates into change management processes. For example, any server deployment procedure behind a firewall should include a step for updating the firewall to permit traffic to that server.
Use automated testing, where possible. It is usually faster and more consistent than manual testing. Tools such as Nmap permit extensive scripting.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial, The New Stack and CompTIA Blogs.