Recent security statistics reveal that cybercrime has become more diverse and widespread than ever before. The digitalization of the business world has brought about opportunities for organizations to thrive by reaching and serving a broader audience. 

However, it has also exposed organizations to increased vulnerabilities, necessitating the implementation of comprehensive policies and processes to ensure digital safety and security against malicious actors.

One of the primary defenses against cyber attacks is the firewall. Firewalls play a crucial role in protecting networks by acting as the initial line of defense. 

They are essential tools as they allow threat and penetration testers to simulate attacks, evaluating the security of their networks. In this article, we will delve into the topic of firewall security testing, encompassing the various tools, methods, and steps involved in conducting a thorough firewall penetration test.

Firewalls 101

Firewalls play a crucial role in safeguarding sensitive and valuable data by enforcing security measures. There are multiple types of firewalls, including hardware-based, software-based, and cloud-based firewalls. Their history traces back to the late 1980s when the need arose to protect networks from unauthorized access and malicious attacks. Initially, firewalls were implemented as hardware devices with basic filtering capabilities.

Over time, as the internet expanded and cyber threats evolved, firewall technology advanced as well. Modern firewalls encompass both hardware and software components. The firewall software inspects incoming and outgoing traffic on the external network or internet. It applies predefined rules, policies, and an access control list to filter and restrict any connections that do not meet its standards. Essentially, the firewall creates a boundary between trusted networks and potentially risky ones.

Typically, the primary firewall is positioned in the demilitarized zone (DMZ), a neutral area between the internal network and the external internet. Additional firewalls may be strategically placed closer to the business's intranet and/or their industrial supervisory control and data acquisition (SCADA) systems, further strengthening security.

Today, firewalls have evolved to incorporate advanced features such as deep packet inspection, intrusion detection and prevention systems, virtual private network (VPN) capabilities, and application-level filtering. 

They have become integral components of network security architectures, providing a critical layer of defense against cyber threats and unauthorized access attempts. 

Next Gen Firewalls Explained

Traditional firewall models have a limitation in that they lack the capability of engaging in stateful packet inspection. They primarily analyze the current traffic of a network based on IP addresses and packet port numbers, disregarding any historical context of previous traffic.

Next Generation Firewalls (NGFW) represent a significant advancement in this regard. NGFW introduces the ability to monitor all active connections and maintain awareness of their state. 

This enables dynamic packet filtering, taking into account the entire flow of a connection. As a result, NGFWs offer more comprehensive access determination and provide enhanced security measures. 

They go beyond the limitations of traditional firewalls by considering the context and history of network traffic, improving the ability to detect and prevent sophisticated cyber threats. 

NGFWs are designed to address the evolving landscape of network security and provide organizations with advanced capabilities to protect their sensitive data and assets. 

Firewall Guidelines

Firewalls necessitate the implementation of firewall guidelines to establish a framework of policies and rules for securing the network perimeter. These guidelines govern network traffic, determining what is allowed to flow through and what is blocked. The owning entity is responsible for configuring these policies and rules to align with their security requirements.

Additionally, the established rules and policies can be extended to other supplementary firewalls within the network. 

This allows for consistent enforcement of security measures throughout the network infrastructure.

To further enhance security, user roles and permissions can be integrated with an active directory system. This enables the implementation of role-specific access controls, ensuring that users have appropriate and authorized access to network resources based on their assigned roles.

Firewall guidelines serve as a crucial component in network security by defining the boundaries and regulations for network traffic.

They help organizations establish a secure network environment and protect valuable assets from unauthorized access or malicious activities. Compliance with firewall guidelines helps mitigate risks and ensures a controlled and protected network infrastructure. 

Tools For Firewall Penetration Testing

Before delving into the process of testing firewall security or firewall rules, it is essential to understand the necessary tools for conducting such tests.

The primary tool required for testing firewall security is a scanner. Scanners enable the collection of firewall responses by sending customized packets to the target system. These responses can then be analyzed to determine critical points, port states, versions and services in operation, as well as system vulnerabilities.

The commonly used scanners for firewall testing include:

1. Nmap: Nmap is a versatile and powerful network scanner that provides extensive capabilities for network exploration, port scanning, and service detection.
2. Hping and Hping2: Hping and Hping2 are command-line tools that allow for advanced packet crafting and sending. They can be utilized for various tasks, including firewall testing and network troubleshooting.
3. Netcat: Netcat, also known as "nc," is a networking utility that facilitates the connection and transfer of data between systems. It can be used for port scanning and establishing connections for firewall testing purposes.
4. Firewalk: Firewalk is a tool specifically designed for testing firewall policies. It allows for the determination of filter rules and potential weaknesses in firewall configurations.

In addition to these scanners, there are other tools that can be employed for specific tasks during firewall testing. For instance, Fpipe and Datapipe tools can be utilized for port redirection, while the HTTPort tool can assist with HTTP tunneling.

By leveraging these tools effectively, organizations can conduct thorough and comprehensive testing of firewall security to identify potential vulnerabilities and enhance their network defenses. 

How to Test Your Firewall Security in 12 Steps

1. Firewall Location

The initial step in testing a firewall involves locating the specific firewall that you intend to assess. 

To initiate the testing process, you can utilize packet crafting software of your choice to generate IP packets with TCP, UDP, or ICMP payloads.

Commonly employed tools for penetration testing include Hping and Nmap. 

It is important to note that both tools function similarly, with the distinction that Nmap allows scanning of a range of IP addresses while Hping is limited to scanning a single IP address at a time.

If a more aggressive scan is desired, Hping may be the preferred option as it mitigates the likelihood of abnormal activity being detected.

You will need to repeat the scanning process to create a comprehensive map of the allowed services list within the firewall. 

By performing thorough scans, you can identify potential vulnerabilities and gain insights into the firewall's configuration and permitted network services. 

2. Traceroute

Once you have successfully located the firewall, the next step involves running a tracert (traceroute) command against the firewall. 

This command helps you gather valuable information about the network range and obtain system-to-system routing details of the packets.

By executing the tracert command, you can determine the devices and routers involved in establishing a connection to the firewall. 

It provides insight into the path that packets take from your source system to the firewall, revealing the network hops and their corresponding IP addresses. 

This information allows you to understand the network infrastructure and identify any intermediate devices that traffic passes through.

Furthermore, the tracert command enables you to gain information about traffic filters implemented within the network.

It can highlight any potential restrictions or routing configurations that may impact the connectivity and protocols allowed through the firewall.

Overall, the tracert command assists in comprehending the network topology, understanding routing patterns, and uncovering relevant details regarding traffic filters, thereby aiding in the assessment of the firewall's configuration and its impact on network traffic. 

3. Port Scanning

Nmap is the preferred tool for conducting port scanning due to its extensive customization options. 

With Nmap, you can tailor your scans to specific types, timing parameters, and more, allowing for precise control over the scanning process. 

The tool provides results in various formats, ensuring flexibility and convenience in analyzing the scan output.

The primary objective of using Nmap for port scanning is to identify open ports and determine the services running on those ports. 

By conducting a thorough scan using Nmap, you can gain insights into the network's exposed ports and understand the services associated with each open port. 

This information is crucial for assessing the security posture of the network and identifying any potential vulnerabilities or misconfigurations that may exist.

With its robust feature set and customizable scanning capabilities, Nmap enables comprehensive port scanning that aids in network reconnaissance and helps in the identification of potential security risks. 

4. Banner Grabbing

This step tells you what version of firewall is being used, which you'll use later to locate potential compromising exploits within the firewall. 

Most people use Netcat to create the connection request, and custom-made packets used to scan the firewall will elicit different responses that can be used to determine what specific type of firewall you're attempting to bypass.

Use Nmap or Hping to attempt a plethora of variations of the scan, including different flags, protocols, and connection attributes, so that you can gather as much info as possible from the firewall's responses.

5. Access Control Enumeration

 The access control list of a firewall plays a crucial role in regulating the traffic allowed or denied to the internal network. At this stage, your primary source of information is the state of ports on the firewall, which can be determined by enumerating the access control list using the Nmap command: Nmap -sA x.x.x.x.

By executing this command, Nmap sends packets with the ACK flag raised to the first 1024 ports. The port status results returned by Nmap indicate the following:

1. Open ports are in a listening mode, indicating that they are actively accepting incoming connections.
2. Blocked ports appear in a filtered state, meaning that the firewall is actively blocking access to those ports. These ports are not responding to Nmap packets.
3. Closed, yet passable ports are in an unfiltered state, implying that the firewall is not actively blocking access to these ports, and they may be accessible for network traffic.

By analyzing the port status results obtained through Nmap scanning, you can gain insights into the accessibility and configuration of ports on the firewall. 

This information is valuable for understanding the network's security posture and assessing the effectiveness of the firewall's access control list in managing incoming and outgoing traffic.

6. Firewall Architecture

 Once the firewall ports have been identified, you will proceed to send carefully crafted packets to these ports in order to obtain a listing of their status. 

To accomplish this, you can utilize tools such as Hping, Nmap, or Hping2, which allow you to gather responses from the targeted ports and observe the firewall's reaction. This process helps in further mapping the open ports.

After conducting the scan, the firewall will respond with action packets that indicate how it handled the crafted packets. The different types of firewall responses and their corresponding implications are as follows:

1. If the firewall returns a SYN/ACK packet, it signifies that the port is in an open state. This indicates that the firewall accepted the connection attempt.
2. If the firewall returns a RST/ACK packet, it indicates that the firewall rejected the crafted packet. This suggests that the firewall actively refused the connection.
3. If the firewall returns an ICMP type 3 code 13 packet, it implies that the connection was blocked. This response indicates that the firewall prevented the connection from being established.
4. If there is no response from the firewall, it suggests that the crafted packet was dropped from a filtered port. This means that the firewall discarded the packet, providing no indication of the port's status.

By analyzing the responses received from the firewall, you can gain insights into the state of the targeted ports. 

This information helps in understanding the firewall's behavior and identifying open ports, rejected connections, blocked connections, and filtered ports.

7. Firewall Policy Testing

n this scenario, you have two available options. The first option is to identify potential gaps by comparing hard copies of the firewall policy configuration with the expected configuration. 

This involves reviewing the written policies and configurations documented for the firewall and comparing them with the intended or desired configuration. 

By examining any inconsistencies or variances between the two, you can identify potential gaps or deviations that may require attention or further investigation.

The second option is to take direct action on the firewall to confirm the expected configuration. This involves accessing the firewall's administrative interface or management console and examining the current settings and configurations directly on the device. 

By reviewing the firewall's actual configuration in real-time, you can verify whether it aligns with the expected or intended configuration. 

This approach allows for a more hands-on verification of the firewall's settings and provides a direct confirmation of the expected configuration.

Both options offer ways to assess the firewall's configuration and identify any discrepancies or gaps that may exist. 

The choice between the two approaches depends on the available documentation, the level of access and authority you have, and the specific requirements of the situation at hand.

8. Firewalking

In this step, you will perform network mapping of the devices located behind the firewall using a firewalk network auditing tool. This tool leverages the traceroute technique to analyze packets returned by the firewall. 

The devices situated behind the firewall play a critical role in determining two key aspects: A) identifying open ports and B) understanding the type of traffic allowed through these ports. 

This process involves advanced network mapping techniques that provide a visual representation of the network's topography.

To conduct this mapping, you will utilize specially crafted packets with specific Time-to-Live (TTL) values. By analyzing the responses received for these packets, you can draw valuable conclusions about the network setup. 

The analysis of the return packets is as follows:

1. If you receive "exceeded TTL" messages, it indicates that the packets reached devices with open ports. This suggests that the packets successfully passed through the firewall and reached the intended network devices, allowing you to identify the open ports on those devices.
2. If you receive no response for a packet, it signifies that the packet was filtered and the connection was blocked. This indicates that the firewall prevented the packet from reaching the desired network device. The absence of a response implies that the traffic was blocked, and the connection attempt was unsuccessful.

By interpreting the responses obtained from the firewalk tool, you can gain insights into the network's architecture, identify open ports on the devices behind the firewall, and determine the effectiveness of the firewall in allowing or blocking specific connections.

9. Port Redirection

Utilize this testing process to determine whether inaccessible ports can be indirectly accessed even after being denied regular access. 

By employing port redirection tools, you can bypass the firewall on compromised systems. 

This involves actively monitoring or sniffing specific port numbers. Subsequently, the traffic is redirected to the compromised machine, enabling indirect access to the previously inaccessible ports. 

10. External And Internal Testing

Externally, you will conduct research and attempt to exploit potential actions that an unauthorized outsider without proper access and permissions could employ to gain unauthorized entry into your system.

Internally, the penetration testing process resembles a vulnerability assessment, serving as an identification tool. However, it goes beyond identification by actively exploiting the identified vulnerabilities to assess the extent of potential data exposure.

While this step is highly recommended, it may not always be mandatory. Its purpose is to gather a more realistic understanding of how a malicious actor might initiate an attack and the potential consequences if they succeed.

If you choose to proceed with this step, you will analyze the received packets within the network after sending packets from outside the network. This analysis helps evaluate the effectiveness of internal security measures and provides insights into the potential impact of an internal breach. 

11. Covert Channel Testing

Hackers employ this particular channel for activities that enable them to secretly communicate with a system and extract sensitive information from a company. Typically, this channel is established using a backdoor on a compromised machine. 

Through this compromised machine, the hacker can utilize a reverse shell technique to establish a connection with an external machine, granting them covert access and control. 

12. HTTP Tunneling

By employing an HTTPort tool, you will send POST requests containing a hostname, port number, and path to the server. HTTP proxies can be circumvented, making the enabled "CONNECT" methods the only hurdle to overcome. 

If the "CONNECT" method is disabled, it is still possible, albeit very challenging, to bypass it using a remote host. 

However, if the "CONNECT HTTP" method is enabled, creating an HTTP tunnel becomes much simpler.

Identifying, Documenting and Reporting

The final steps involve identifying all vulnerabilities and thoroughly documenting your findings. 

In your documentation, it is important to include details such as what vulnerabilities were discovered, their specific locations, and how each testing method was executed. 

Merely knowing how to test firewall security is insufficient; it is crucial to report your findings and determine the most effective approaches to strengthen your firewalls, thereby keeping cybercriminals at bay.

For comprehensive cybersecurity management, which includes tracking and reporting vulnerabilities, I recommend exploring the Rivial Platform. 

This platform offers various features such as the one-click vulnerability assessment report, allowing you to generate detailed vulnerability assessments effortlessly. 

Additionally, you can create vulnerabilities that are linked to assessments and associated targets, enhancing your overall cybersecurity posture.