Firewall Testing is the only way to accurately confirm whether the firewall is actually working as expected. Complicated firewall rules, poor management interfaces and other factors often make it difficult to determine the status of a firewall. By using an external port scanner it is possible to accurately determine the firewall status.
This type of firewall test attempts to make connections to external facing services from the same perspective as an attacker. An unprotected open service (listening port) can be a major security weakness in poor firewall or router configurations.
This firewall test is a high level overview that can reveal the status of a system firewall based on the port responses. See the Nmap Tutorial for more detail on interpreting the results.
Why You Need an External Firewall Test
To understand how vulnerable your systems are to external attackers, you need to understand what they look like on the network from an external or Internet facing perspective. A port scan conducted from outside a network perimeter will map and identify vulnerable systems.
Technical operations staff need to know what their network perimeter looks like from the outside. The perimeter may be a single IP gateway, a hosted Internet server or a whole Class B network; it does not matter - you need to understand what services Internet based threats can see and what they are able to access.
If you are a systems administrator or a security analyst for an organisation having access to an external port scanner will provide a number of benefits. The most important being that you should know the services listening on your perimeter. Testing should be performed at least monthly and ideally more often, to monitor for changes to the perimeter.
Home Router Firewall
For many users a home router is the firewall device that they will have to manage. In this case the most common configuration is for the SOHO (small office/home office) device to be performing NAT (network address translation). In a NAT configuration the internal network has a number of devices on private IP address ranges (192.168.1.x) and they communicate with the Internet through the SOHO router. The router has a single public IP address assigned by the Internet provider or ISP. The translation of internal to public IP address is the NAT process.
Home routers should be port scanned to check for two important considerations
1. Listening Port
The device itself may have listening services for management such as HTTP
tcp port 80 or Telnet
tcp port 23. These are normally only accessible from the Internal network, but if they are listening on the Public Internet side then anyone can access them and if the password is default or weak this could easily be accessed. If someone has access to your router, they can attack any devices on the Internal network.
2. Port Forwarding
Port Forwarding is another important consideration where the external interface forwards traffic to an Internal address so that is accessible from the Internet. If you are hosting services on your Internal network and you want these to be accessible, you may setup a port forwarding rule on the SOHO router. Port scanning the external IP address can help troubleshoot port forwards and ensure that there are no services being forwarded that should not be.
The primary function of a firewall is to block unauthorised packets from being able to reach listening services. The firewall can be situated on the perimeter of an organisations network or it can be on an internal network. It can also be host based, running on the server or workstation.
Multiple firewalls and filtering devices increases the complexity of assessing a network. Using a port scanner, one is able to quickly assess what ports are being permitted through the various layers of defence, and are able to reach services on the end point host. Testing a firewall with a port scanner is more accurate and faster than combing through potentially hundreds of rules in a firewall and piecing together how that fits with the other networking kit.
One possible set up could be as complicated as:
- Checkpoint Firewalls being used in conjunction with Cisco networking gear.
- The Cisco gear is configured with ACL's (access control lists) and NAT (network address translation).
- The servers have Linux based IP Tables
- Windows Firewall
- Zone Alarm
Firewall Rule Base auditing by hand is an important (and tedious) job - the benefit of port scanning is you get results quicker with more assurance that nothing was missed. Combine the two and
drop all those unwanted packets.
To effectively test a firewall and network for external access points, it is necessary to perform the port scanning from a remote host. By using our hosted online port scanner service you are able to quickly test a range of IP Addresses or a single IP address. All 65535 ports can be tested at the click of a mouse, with the results delivered to your email address for review.
From the results of the port scan you are able to determine the state of all ports:
- Filtered = Packet is Dropped
Indicates the port is being filtered by a Firewall or Router, this is recommended state for any port that does not have a listening service on it.
- Closed = Packet is Denied - response sent
Indicates traffic destined to this port is being allowed past any firewall / router devices and is arriving at the destination host (which has no listening service running on that port).
- Open = TCP Handshake Established
Indicates that a connection to a listening service has been made. This state should only be found on services that have a requirement to be externally facing (HTTP 80 and SMTP 25 are two examples of common external facing services).
Ingress Filtering is the traffic coming into your network from the Internet. It is used to restrict access to vulnerable services, reduce attack surface of Internet facing systems and reduce ability of an attacker to open back-doors on Internet facing ports.
Egress Filtering is the traffic leaving your network. Data ex-filtration and outbound initiated remote access. Command shells and other remote access can be achieved by a system initiating an outbound connection. Limiting the available outbound ports can make this outbound communication more difficult for an attacker. Note - this does not entirely solve the problem as advanced tools and attackers are able to initiate communication through multiple means including over
HTTPS proxy servers,
SMTP and even
Troubleshooting Network Services
When installing and configuring Internet facing services it will often be necessary to troubleshoot a network configuration in order to get a service up and running. For example you may have correctly setup the service on the server with everything operating correctly, however an external firewall may be blocking remote access to this service.
While the situations in which network troubleshooting is required are varied, it is a common methodology to perform an external port scan against the network port or system to quickly understand where the problem may lie. If you are able to connect to a service from the internal host but unable to connect from external, you can make a pretty good guess at where the problem might lie. By performing a port scan using an external online port scan you are able to quickly confirm that all the required services are being filtered - hence your troubleshooting can move to looking at any external or host based firewalls that are blocking that port.
Mapping Networks and Services
In order to determine how vulnerable a network or host is to exploitation, it is necessary to know what services are running and whether they are externally facing (or accessible from the Internet). By performing a remote port scan against the network IP range or against a specific host it is possible to determine not only the open ports but also the types of services running on those ports. This is known as service detection and is a feature of most well known port scanners such as the nmap port scanning tool.
Further more identification of the actual operating system is also possible, either from the service identification or through more low level analysis of the packets coming back from the host.
System and network administrators will also utilize port scanners to map the external network of a host or organisation. Networks change over time and documentation is not always kept current, so a quick port scan of the services listening on a network will help a system administrator to understand the layout of the network.
PRO Testing available with our Online Port Scanner
Scan all 65535 ports
Next level testing with advanced Security Vulnerability Scanners.
Trusted tools. Hosted for easy access.