How to test the hardware firewall system

A practice from the CERT (R) Security Improvement modular (http://www.cert.org/security-improvement)

The purpose of this test is to know whether the firewall wants to work with our imagination. Before that, you must:

· Develop a complete test plan with the testing intent mainly focused on the performance of routing, packet filtering, logging and alarms
· Test the recovery defense scheme when the firewall system is abnormal
· Design your initial test components

Important tests include:

· Hardware testing (processor, internal and external storage devices, network interfaces, etc)
· Operating system software (pilot part, console access, etc)
· Firewall software
· Network interconnection devices (CABLES, switches, hubs, etc)
· Firewall Configuration Software
-Routing rules
-Packet filtering rules, associated logs, and alarm options

* *** Why are these important statements? *****

Testing and verifying your firewall system helps improve the efficiency of the firewall and make it play a satisfactory effect. You must understand that each system component has
Recovery Techniques for possible errors and various errors. Once a firewall system is not working under your plan, you need to proceed in time.
Recovered.

The most common cause of a breakthrough in the firewall system is your firewall configuration problems. You need to know that you need to complete all the test items before
(Such as routing, packet filtering, and log processing capabilities ).

* ***** How should I do it? *****

"Create a test plan"

You need to make a plan to let the system itself test the implementation of the firewall system and policy, and then test the implementation of the system.

1. Create a list of all alternative system components to record some sensitive faults that may cause firewall system errors.
2. Create a brief feature description list for each component and describe its impact on the operation of the firewall system. Ignore these shadows
The type and extent of damage to the firewall system and the possible coefficient.
3. For each associated fault type
-Design a specific situation or indicator to simulate it
-Design a buffer scheme to weaken its impact on the system

For example, when a host system running the firewall software encounters a hardware problem that cannot be replaced, and the hardware will affect
A hub problem of information communication, such as a damaged Network Adapter. imitating this type of failure, you can simply pull out the network interface.

The example of a defense/recovery policy can be a complete set of backup firewall systems. When the information package encounters problems such as delay
Replace the machine.

It is very difficult to test the operation of a policy in the system. Using all the methods to test the IP packet filtering settings is not feasible; this may result in many
. We recommend that you replace the overall test with the Division test. In these tests, you must determine the package filtering rules you implement
And the line between each block. In this way, you need:

· Define a boundary rule for each rule. Generally, the required parameters of each rule have one or two boundary points. In this region
It will be divided into a multi-faceted packet feature area. Usually divided features include: communication protocol, source address, target address, source port,
Target Port. Basically, each packet feature can independently match the numerical scale defined by the packet filtering rule in the region. For example,
One rule allows TCP packets to be sent from any host to port 80 on your WEB server. In this example, three pairing features (Protocol
, Target address, and target port). In this instance, a feature area is also divided into three areas: TCP packets to the WEB server lower than port 80,
Equal to port 80 and greater than port 80.

· You must perform information exchange tests for each configured region. Check whether these specific regions can pass
Reject all information exchanges. Make a separate region and reject or exchange all information in the region.
This section describes the areas of packet feature communication.

As a comprehensive rule group, it can be a single processing mechanism and may not be applied. If not
Used rule groups require a group of people to review their existence repeatedly and require someone to be able to express the meaning of each rule to be implemented.

The entire test plan includes case testing, configuration testing, and expectations:

· Test route configuration, packet filtering rules (including tests for Special Services), log functions and alarms

· Test the overall performance of the firewall system (such as hardware/software fault recovery, sufficient log storage capacity, fault tolerance of log files, and monitoring and tracking)
Performance issues)

· Try a test in either normal or abnormal situations

You also need to record the tools you plan to use in the test (scanners, monitors, and vulnerability/attack detection tools) and test 1 accordingly.
Their performance.

"Get test tool"

Gradually use your various firewall testing tools to know whether your firewall products are insufficient in various performance indicators

Various types of firewall testing tools include:

· Network communication package generator (for example, SPAK [Send PAcKets], ipsend, and Ballista)
· Network Monitor (such as tcpdump and Network Monitor)
· Port scanner (such as strobe and nmap)
· Vulnerability detector (which can scan to a certain extent and target multiple vulnerabilities)
· Intrusion Test System [IDS] such as NFR ② [Network Flight Recorder] and Shadow ③

For more information, see Detecting Signs of Intrusion [Allen 00]. For specific practices, see "Identify data that
Characterize systems and aid in detecting signs of suspicious behavior ", proposal in" Identify tools
That aid in detecting signs of intrusion ".

"Test the functions of the firewall system in your testing environment"

Establish a test framework so that your firewall system can be connected to two independent hosts. The two ends represent the internet.
The example is shown in 8-1 "Test Environment ".

During the test, make sure that the default Intranet gateway is a firewall system (of course, this refers to the enterprise-level firewall with routes ).
A complete logging system (highly respected) that works between an intranet host and a logging host, you can select a log record.
Item. If logs are recorded on the firewall machine, you can directly use the Intranet machine to connect.

Servers installed with scanners and Sniffer are placed inside and outside the topology to analyze and capture two-way communication problems and communication conditions (Data
From inside to outside, from outside to inside ).

Test execution steps should follow:

· Stop package filtering.
· Inject various packages to demonstrate routing rules and use the firewall system.
· Determine whether the packet routing is accurate by using firewall logs and the results of your scanner.
· Enable package filtering.
· Communication Between access networks: Collects sample records for communication between various protocols, all ports, and possible source and target addresses.
· Confirm that the package should be blocked (rejected. For example, if all the UDP packets are set to be blocked, make sure that no UDP packet exists.
The package passes. There are also packages that are set to pass or exit (permitted) Pass and exit. You can log and scan through the firewall
To obtain the results of these experiments.
· Scan the ports permitted and rejected by the firewall to see if your firewall system is as expected when you set it.
· Check the log option parameters in the packet filtering rule and test whether the log function works as expected in all network communications.
· Test whether specific notification signals (such as firewall system administrators) and
(Page display and EMAIL notification ).

The preceding steps take at least two steps.