VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us

Firewall Testing

More Information


VESARiA Firewall Testing Methodology

Profiling the Firewall

    Ironically, the first stage in our firewall testing has nothing to do with the firewall itself.  Before we can test it, we need to build a profile of the network which the firewall is protecting.  This profile enables us to predict the firewall's configuration and associated weaknesses.

Our profile must answer the following questions:

  • How many machines are behind the firewall?
  • What are they used for?
  • What type of access to the Internet at large do they require?
  • How is the network divided up?
    The answers to these questions help us predict the firewall's weaknesses.  Our null hypothesis is that firewalls are normally set up in the simplest configuration that allows their network to function.  This configuration, however, is not necessarily secure.

    Using DNS records, registrar databases, public web and mailing list searches, and other information, we try to identify every publicly accessible machine behind the firewall.   We also use numerous probing methods (such as ICMP Echo sweeps, TCP SYN scans, LAN broadcast addresses, and more), to directly enumerate and fingerprint the private areas of the network.   Our profile identifies every machine that we find, and classifies it into one of the following categories:

  • Public Server - a server, like a web or mail server, that must be accessible to anyone on the Internet.
  • Restricted Server - a server, like a Citrix or telnet server, that must be accessible to certain people on the Internet.
  • Internal Server - a server that should only be accessible to the internal network.
  • Internal PC - a PC that should be allowed outgoing access to the Internet.
   We also identify and fingerprint the firewall itself, providing invaluable information as to its operation and configuration.  We research - using vendor information as well as our own database - the firewall's limitations and vulnerability history.  With all this information in hand, we build a flaw hypothesis model, showing the points of weakness most likely to be vulnerable to successful attack.

Flaw Hypothesis Testing

    We then engage in extensive firewall testing, using our flaw hypothesis model as a guide.  Besides leveraging the standard tools of port scanning, such as source and destination port manipulation, we make use of advanced techniques, such as packet header manipulation and ICMP error message analysis.


    Many advanced firewalls in use today employ antiscanning countermeasures.  For instance, an intelligent firewall may detect that a host is attempting to transmit too much forbidden traffic; the firewall may then label that host as untrusted and deny all traffic from it.  While these countermeasures are useful in foiling attackers, they can result in false negatives in the firewall testing as well.  Our testing methodology handles these countermeasures effectively, using such means as time lapse probing, IPID observation (also known as idle scanning), and packet-by-packet analysis to get a true picture of the firewall.

Advanced Subversion Techniques

    Advanced hacker's have built up an arsenal of techniques to get past even tightly configured firewalls.  In order to win this arms race, firewall testing must make use of those same techniques. Where warranted, we apply such techniques as:

  • Packet Fragmentation
  • Packet Masquerading
  • Header Manipulation
  • Source Address Spoofing
  • ICMP Probing & Analysis

Firewall Specific Vulnerabilities

    Even the best firewalls, such as Checkpoint Firewall-1 and Cisco PIX, have errors in their design.  At the time of this writing, Checkpoint has issued alerts to over ten vulnerabilities in Firewall-1, and Cisco has issued a similar list of vulnerabilities in PIX and IOS Firewalls.  We research and test for these vulnerabilities.

Remote Administrative Access

    Another potential point-of-weakness is the administrative interface of the firewall.  We make sure it is properly secured, using encryption, authentication mechanisms, and access control. We test to see if it is vulnerable to brute force password attacks.   In addition, we make sure that their are no other services running on the firewall that might present security weaknesses.

To sign up for VESARiA Firewall Testing, or to find out more, continue here, or call us now at (443) - 501 - 4044.

Vesaria, LLC

© 2000 - 2018 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact