Firewall Testing is the only way to accurately confirm whether the firewall is working as expected. Complicated firewall rules, poor management interfaces, and other factors often make it difficult to determine the status of a firewall. By using an external port scanner it is possible to accurately determine the firewall status.
This type of firewall test attempts to make connections to external-facing services from the same perspective as an attacker. An unprotected open service (listening port) can be a major security weakness in poor firewall or router configurations.
Why You Need an External Firewall Test
To understand how vulnerable systems are to external attackers, you need to understand what they look like on the network from an external or Internet-facing perspective. A port scan conducted from outside a network perimeter will map and identify vulnerable systems.
Technical operations staff need to know what their network perimeter looks like from the outside. The perimeter may be a single IP gateway, a hosted Internet server, a whole Class B network, whatever it is they need to understand what services Internet based threats can see and access.
A systems administrator or security analyst will benefit from having access to an external port scanner. The most important being they will know the services listening on your perimeter. Testing should be performed at least monthly and ideally scheduled more often, to monitor for changes to the perimeter.
Home Router Firewall
For many users, a home router is the only firewall device they will have to manage. In the case of a home router, the most common configuration is for the SOHO (small office/home office) device to be performing NAT (network address translation).
In a NAT configuration, the internal network has several devices on private IP address ranges 192.168.1.x which communicate with the Internet through the SOHO router. The router has a single public IP address assigned by the Internet provider or ISP and the translation of internal to public IP address is the NAT process.
Home routers should be port scanned to check for two important considerations
1. Listening Port
The device itself may have listening services for management such as HTTP
TCP port 80 or Telnet
TCP port 23. These are normally only accessible from the Internal network, but if they are listening on the Public Internet side, then anyone can access them. And if the password is default or weak, this could easily be accessed. If someone has access to your router, they can attack any devices on the Internal network.
2. Port Forwarding
Port Forwarding is another significant consideration. This is where the External interface forwards traffic to an Internal address so that it is accessible from the Internet. If you host services on your Internal network and want these to be accessible, set up a port forwarding rule on the SOHO router.
Port scanning the external IP address can help troubleshoot port forwards and ensure no services are being forwarded that should not be.
The primary function of a firewall is to block unauthorised packets from reaching listening services. The firewall can be situated on the perimeter of an organisations network, or it can be on an internal network. It can also be host-based, running on the server or workstation.
Multiple firewalls and filtering devices increases the complexity of assessing a network. Using a port scanner, one can quickly assess what ports are being permitted through the various layers of defence, and are able to reach services on the endpoint host.
Testing a firewall with a port scanner is more accurate and faster than combing through potentially hundreds of rules in a firewall and piecing together how that fits with the other networking kit.
One possible set up could be as complicated as:
- Checkpoint Firewalls being used in conjunction with Cisco networking gear.
- The Cisco gear is configured with ACLs (access control lists) and NAT (network address translation).
- The servers have Linux based IP Tables
- Windows Firewall
- Zone Alarm
Firewall Rule Base auditing by hand is an important (and tedious) job. The benefit of port scanning is quicker results with more assurance nothing was missed. Combine the two and
drop all those unwanted packets.
To effectively test a firewall and network for external access points, it is necessary to perform the port scanning from a remote host. Use our hosted online port scanner service and swiftly test a range of IP Addresses or a single IP address. All 65535 ports tested at the click of a mouse, with results delivered to your email address for review.
From the results of the port scan you are able to determine the state of all ports:
- Filtered = Packet is Dropped
Indicates the port is being filtered by a Firewall or Router. This is the recommended state for any port that does not have a listening service on it.
- Closed = Packet is Denied - response sent
Traffic destined to this port is being allowed past any firewall/router devices and is arriving at the destination host (which has no listening service running on that port).
- Open = TCP Handshake Established
A connection to a listening service has been made. This state should only be found on services that have a requirement to be externally facing (HTTP 80 and SMTP 25 are two examples of common external facing services).
Ingress Filtering is the traffic coming into your network from the Internet. It is used to restrict access to vulnerable services, reduce the attack surface of Internet-facing systems, and reduce the ability of an attacker to open back-doors on Internet facing ports.
Egress Filtering is the traffic leaving your network. Data ex-filtration and outbound initiated remote access. Command shells and other remote access can be achieved by a system initiating an outbound connection. Limiting the available outbound ports can make this outbound communication more difficult for an attacker. Note - this does not entirely solve the problem as advanced tools and attackers can initiate communication through multiple means, including over
HTTPS proxy servers,
SMTP, and even
Troubleshooting Network Services
When installing and configuring Internet-facing services, it will often be necessary to troubleshoot a network configuration to get a service up and running. For example, you may have correctly set up the service on the server with everything operating correctly however, an external firewall may be blocking remote access to this service.
Situations, where network troubleshooting is required, are varied. It is a common methodology to perform an external port scan against the network port or system to promptly understand where the problem may lie. If you can connect to a service from the internal host but unable to connect from external, you can make a pretty good guess at where the problem might lie. Performing a port scan using an external online port scan confirms that all the required services are being filtered - hence your troubleshooting can move to looking at any external or host based firewalls that are blocking that port.
Mapping Networks and Services
To determine how vulnerable a network or host is to exploitation, it is necessary to know what services are running and whether they are externally facing meaning accessible from the Internet. Executing a remote port scan against the network IP range or a specific host identifies open ports, and additionally the types of services running on those ports. This is known as
service detection and is a feature of most well known port scanners such as the nmap port scanning tool.
Furthermore, the identification of the operating system is possible. Either from the service identification or through a more low-level analysis of the packets coming back from the host.
System and network administrators utilize port scanners to map the external network of a host or organisation. Networks change over time and documentation is not always kept current. A quick port scan of the services listening on a network will help a system administrator to understand the layout of the network.
PRO Testing available with our Online Port Scanner
Scan all 65535 ports
Next level testing with advanced Security Vulnerability Scanners.
Trusted tools. Hosted for easy access.