How to test a firewall

How do I test a firewall? The tests here refer to black-box testing designed to compare different firewall products.

The author thinks that the security function of the firewall should be put in the first place, and the performance of the product under the condition of starting a security guard is investigated. Why do you say that? On the one hand, the firewall is the first security products, the protection of the enterprise network it should be with the times (those 3 years ago only work in the network layer of the state detection firewall to refuel Ah!) ）。 On the other hand, it should not generate too much extra latency and packet loss as an enterprise network boundary crossing product.

In terms of security features, some products cover a wide range, like those set IPs, anti-virus, traditional firewalls in one of the "integrated" security gateway, testing them in a short period of time can not be exhaustive. How to operate it, the author has several experience:

1. There are not necessarily many means of attack. For example, Dos attacks, although there are many kinds, but for the firewall, the defense of several kinds of Dos attacks are the same design principle. So in a limited time, select a representative of several Dos attacks should be able to see the firewall this aspect of the ability;

2. Attacks at multiple levels. At present, a good firewall can be categorized against attacks from the network layer to the application layer. Attacks at every level are best checked, and work at different levels often means a revolutionary change in firewall capabilities. For example, the network layer of Dos attacks, application-level scripting attacks and Peer-to-peer communication control. In addition, as the number of firewall ports increases, intranet users often use the security of Windows network is also necessary to investigate.

3. Support the type and accuracy of dynamic protocols. The most typical is the support of VoIP, including a variety of topologies and two-way calls. The more realistic the simulation environment is, the more likely it is to discover the problems of the firewall.

4. It is best to add a certain background flow during the attack test. This is mainly to observe the firewall of a defensive function will cause normal flow of abnormal response.

5. Mix of means of attack. For example, the success rate of the firewall filtering the HTTP worm in case of Dos attack is very much.

As far as performance is concerned, I would like to emphasize two points: not to be free from safety to talk about performance, not to cover the whole.

Testing the performance of a firewall only with the addition of "permit any to" will make it difficult for a firewall user to relate data performance to the actual environment. From a different point of view, some firewall vendors with their own products to achieve 64-byte line-speed throughput is claimed to be high-performance, but this data is only 64 bytes of UDP throughput. This data is also vacant for the user, after all, in the real environment, there is no pure UDP traffic, the TCP flow for the firewall is meant to do more work. Therefore, the performance of the evaluation should be multi-angle! And as close as possible to the user's actual environment. For example, different packet lengths of mixed, TCP and UDP mixed, delay-sensitive applications such as H.323 and document or Web page transmission mix, whether to add attacks and so on.

In two years, the current firewall compared to the traditional state detection firewall has at least two significant changes. One is to the application layer to protect the large-scale march, the other is the VPN function gradually become the basic components. As a result, testing for VPNs is also necessary. It is not only the performance of VPN tunneling, but also the compatibility of VPN gateway and client, as well as some VPN-related functions, such as traffic management within VPN.

For the other features of the firewall, the more notable is the log, authentication mode and the support of the virtual firewall. In addition, the change of the network pattern also deserves attention, for example, in the two-outlet link load balancing of the server in the DMZ area, the strength of each firewall support is also very different. In the firewall and IDs linkage This issue, we found that basically firewall support and some IDs linkage, but we understand that very few users care about this problem and actual deployment, IDs and firewall linkage does exist some of the problems that users worry about.