A Firewall Test conducted by an external port scanner will quickly identify open services and weakness in firewall configurations. In this post I will revisit some of the benefits of a remote firewall test and cover the basics of why a firewall is still an important part of any Internet connected system.
Why you need an external port scanner
To understand how vulnerable your systems are to external attackers, you need to understand what they look like on the network from an external or Internet facing perspective. A port scan conducted from outside a network perimeter will map and identify vulnerable systems.
Technical operations staff need to know what their network perimeter looks like from the outside. The perimeter may be a single IP gateway, a hosted Internet server or a whole Class B network; it does not matter - you need to understand what services Internet based threats can see and what they are able to access.
If you are a systems administrator or a security analyst for an organisation having access to an external port scanner will provide a number of benefits; The most important being that you should understand and know exactly what services are listening on your perimeter. Testing should be performed at least monthly and ideally more often, to monitor for changes to the perimeter.
A firewall's primary function is to block unauthorised packets from being able to reach listening services. The firewall can be situated on the perimeter of an organisations network or it can be on an internal network. It can also be on the end point whether that is a client desktop or a Internet server such as a web server or mail server.
Multiple firewalls and filtering devices increases the complexity of assessing a network. Using a port scanner one is able to quickly assess what ports are being permitted through the various layers of defence and are able to reach services on the end point host.
To effectively test a firewall and network for external access points, it is necessary to perform the port scanning from a remote host. By using the HackerTarget.com hosted online port scanner service you are able to quickly test a range of IP Addresses or a single IP address. All 65'535 ports can be tested at the click of a mouse, with the results delivered to your email address for review.
From the results of the port scan you are able to determine the state of a port:
- Filtered - (Packet is Dropped) this indicates the port is being filtered by a Firewall or Router, this is recommended state for any port that does not have a listening service on it.
- Closed - (Packet is Denied - response sent) this indicates traffic destined to this port is being allowed past any firewall / router devices and is arriving at the destination host (which has no listening service running on that port).
- Open - (TCP Handshake Established) this indicates that a connection to a listening service has been made. This state should only be found on services that have a requirement to be externally facing (HTTP 80 and SMTP 25 are two examples of common external facing services).
Why ingress firewall filtering is required
Restrict access to vulnerable services, reduce attack surface of Internet facing systems and reduce ability of an attacker to open back-doors on Internet facing ports.
Why egress firewall filtering is required
Data ex-filtration and outbound initiated remote access. Command shells and other remote access can be achieved by a system initiating an outbound connection. Limiting the available outbound ports can make this outbound communication more difficult for an attacker. Note - this does not entirely solve the problem as advanced tools and attackers are able to initiate communication through multiple means including over https proxy servers, STMP and even DNS queries.
Troubleshooting Network Services
When installing and configuring Internet facing services it will often be necessary to troubleshoot a network configuration in order to get a service up and running. For example you may have correctly setup the service on the server with everything operating correctly, however an external firewall may be blocking remote access to this service.
While the situations in which network troubleshooting is required are varied, it is a common methodology to perform an external port scan against the network port or system to quickly understand where the problem may lie. If you are able to connect to a service from the internal host but unable to connect from external, you can make a pretty good guess at where the problem might lie. By performing a port scan using an external online port scan you are able to quickly confirm that all the required services are being filtered - hence your troubleshooting can move to looking at any external or host based firewalls that are blocking that port.
Mapping Networks and Services
In order to determine how vulnerable a network or host is to exploitation, it is necessary to know what services are running and whether they are externally facing (or accessible from the Internet). By performing a remote port scan against the network IP range or against a specific host it is possible to determine not only the open ports but also the types of services running on those ports. This is known as service detection and is a feature of most well known port scanners such as the nmap port scanning tool.
Further more identification of the actual operating system is also possible, either from the service identification or through more low level analysis of the packets coming back from the host.
System and network administrators will also utilize port scanners to map the external network of a host or organisation. Networks change over time and documentation is not always kept current, so a quick port scan of the services listening on a network will help a system administrator to understand the layout of the network.