Today we at ProSec inform you about firewall pentesting. Firewalls are security systems that typically stand between networks of different trust levels.
For example, it stands in the traditional way between your own network and the Internet, as your own hardware appliance, or in the form of a service appliance on a device such as the router in the home network. Firewalls take care of filtering vertical network traffic.
In addition, there are also the host-based firewalls that are directly responsible for filtering incoming and outgoing network traffic.
Due to their tasks and their exposed position between the networks, firewalls are of essential importance for attackers and defenders, which makes firewall pentesting an important component in the protection of a network. At the Pentest IT systems are manually checked for security gaps. With a Vulnerability Analysis some security gaps can already be detected automatically.
Firewall pentesting helps protect a network. However, if one speaks of firewalls in corporate environments, one is usually no longer dealing with a pure firewall, but often with an all-in-one solution - from VPN to proxy and load balancer to IDS /IPS and web application firewall functionalities.
In addition, firewalls act as advanced thread protection, email, DNS, and DHCP servers, as well as sandboxing (this list goes on and on). Comprehensive functions of a firewall make firewall pentesting indispensable.
Overcoming the Firewall (Bypass) is the main goal for attackers. But the many services that a modern firewall offers are just as interesting for an attacker (reference to CVE-2021-23008, CVE-2021-22986, CVE-2021-22987). Firewall pen testing is used to check whether a firewall can be breached.
As is so often the case, firewall pentesting begins with reconnaissance, i.e. clarification.
Firewall pentesting is about identifying the firewall and the interfaces, the open ports and which service versions are behind them.
The path taken by the packets via the network devices to the firewall is very important information for firewall pentesting, because there may well be other devices that filter network traffic.
The next step in the firewall pentesting process is to search for known exploits using the information obtained and to test the configuration. Within the framework of the firewall pentesting, access control lists are tested through firewalking to the concealment of communication channels (covert channels) in order to overcome the firewall.
Attempts at Remote Code Execution, Server Side Request Forgery (SSRF) or Brute Forcing (just to name a few) are also checked during firewall pentesting.
In addition to firewall pentesting, there are general measures that should be taken to protect the network.
The firewall should be properly configured and kept up to date. This may sound banal, but this measure applies to all devices in a network. Since a firewall is usually a very exposed device, you should be particularly careful here.
It starts with your rules for network traffic, how you use your interfaces and services, to their integration into your own domain or to others. In order to avoid gaps caused by contaminated sites, these measures should also be checked again at regular intervals,
This measure corresponds to the 1st measure, but should be mentioned here again separately and affects the documentation.
Without a thorough, clean and, above all, up-to-date documentation of the firewall and its configuration, you will quickly carry around legacy configurations, especially in larger organizations.
The 3rd measure concerns monitoring, since thorough configuration does not necessarily protect you from zero-days or infected devices through user error or social engineering.
Here there is only a chance to act if the network traffic and the firewall itself have been involved in thorough monitoring, thanks to which the administrator can get a chance to react in a timely and appropriate manner.
If you're interested in learning more about firewall pentesting then here us now. We would be happy to advise you on all questions relating to the IT security of your company.
