Test firewall system
Original: CERT (R)
A PractICE from the CERT (R) Security Improvement Modules
http://www.cert.org/security-improvement/)
The purpose of this test is to know if the firewall wants to work in our imagination. Before you have:
· Develop a complete test plan, the intent of the test is mainly concentrated on routing, package filtering, logging and alert performance
· Testing the recovery defense program when the firewall system is in an inactive working state
· Design your initial test components
More important tests include:
· Hardware test (processor, internal and external storage, network interface, etc.)
· Operating system software (boot part, console access, etc.)
· Firewall software
· Network interconnection equipment (Cables, switches, hubs, etc.)
· Firewall configuration software
- Route type rules
- Bag filter rules and related logs, alert options
***** Why is these more important? *****
Test and Good Test Your firewall system is conducive to improving the work efficiency of the firewall to make it satisfied with the effect. You must understand each system component
Errors that can occur and the recovery technology of various errors. Once there is a non-working state in your planning, there is a non-working state, you need you to go in time.
Restore processing.
The most common cause of a breakthrough in the firewall system is your firewall configuration problem. You must know that you need to do a whole before all test items.
Tests for configurations (such as routing functions, pack filters, log processing capabilities, etc.).
***** How should I do? *****
"Establish a test plan"
You need to do a plan, let the system itself test the implementation of firewall systems and strategies, and then test the implementation of the system.
1 Create a list of all alternative system components to record some sensitive malfunctions that can cause firewall systems.
2 Establish a short feature list list for each component, which describes its impact on firewall system operation. Don't pay attention to these shadows
The type and degree of damage to the firewall system and the degree of coefficients may occur.
3 For each associated fault type
- Design a specific situation or an indicator to simulate it
- Design a buffer to weaken it to damage the system's impact
The specific situation of a test is a test of a test of the host system running firewall software, and this hardware will affect this hardware.
The hub problem of information communication, such as the network adapter damage, imitating this type of failure can simply unplug the network interface.
As for the defense / recovery strategy, you can be a set of backup firewall systems. In the shortest possible time when the information package is delayed
Replace the machine.
Testing a strategy is difficult in the operation of the system. Exhausted method to test the IP package filter settings; this may have a lot
Case. We advise you to replace overall testing using the boundary test (segment test). On these tests, you must determine the package filtering rules you implement.
The boundary line between each block. This way you need to do:
· Define a boundary rule for each rule. Typically, the necessary parameters of each rule will have one or both boundary points. In this area
It will be divided into a multi-faceted package feature area. Typically divided features include: communication protocols, source addresses, target addresses, source ports,
Target port, etc. Basically, each package feature can be independently paired with the numerical scale defined in the area in the area. E.g,
One of the rules allows the TCP package from any host to the 80-port of your web server, this example uses three pairing features (protocol
In this example, the target address, the target port is also divided into three areas: TCP package to the web server below 80 ports,
Equip 80 ports, greater than 80 ports.
· You must do some information exchange for each area that has already set up. Confirm that these specific areas can pass properly
Reject all information exchange. Be a separate area, refuse or pass all information; this is the purpose is
Regional issues for dividing package feature communication.
As a comprehensive rule group, it can be a relatively single processing mechanism, and may have not been applied. If it is not
The useful rule group, which requires a group of people to repeatedly review their existence and require someone to say the meaning of each rule. The entire test plan includes case testing, configuration test, and expectation target:
· Test routing configuration, package filtering rules (including special service tests), log function and alert
· Test firewall system overall performance (such as hard / software failure recovery, sufficient log storage capacity, log file fault tolerance, monitoring tracking
Performance problem of the device)
· Try testing in both normal or abnormal cases
Similarly, you also need to record the tools you intend to use in your test (scanner, monitor, also have a vulnerability / attack detection tool), and test one accordingly
They have their performance.
"Get Test Tools"
Gradually use your various firewall test tools to know if your firewall products are inadequate on all kinds of performance indicators.
Various types of firewall test tools include 1:
· Network communication package generator (such as spak [send packets], ipsend, ballista)
· Network monitors (such as TCPDump and Network Monitor)
· Port scanner (such as Strobe and NMAP)
· Vulnerability detector (can be scanned to a certain effective range, can be targeted for a variety of vulnerabilities)
· Intrusion test system [IDS], such as NFR2 [Network Flight Recorder] and Shadow 3
Check related information You can see Detecting Signs of Intrusion [Allen 00], specific practices can refer to "Identify Data That
Characterize Systems and Aid in Detecting Signs of Suspicious Behavior, Recommendation in "Identify Tools
That Aid in Detecting Signs of Intrusion.
"Test firewall system in your test environment"
Create a test framework so that your firewall system can connect in two independent hosts, and one end of the two ends represents the outer network represents the outer network.
The example is shown in 8-1 "Test Environment".
When testing, make sure the default gateway of the intranet is a firewall system (of course, it refers to the firewall with the enterprise band routing :) If you have already selected
A complete log record system (admirable), work in the internal network host and log record the host, then you can make log records
Item test. If the log is completed on the firewall machine, you can use the intranet machine to connect directly.
Place the machine installed with the scanner with the sniffer on the interior of the topology and externally, used to analyze and capture bidirectional communication issues and communication conditions (data
From the inside, from the outside to the inside).
The steps to test should follow:
· Stop pack filtering.
• Injecting various packages for demo routing rules and pass through the firewall system.
· Decades whether the routing of the package is accurate through the results of the firewall and the result of your scanner.
· Open package filtering.
· Access to network communication, for various protocols, all ports, possibly used source addresses to intract sample records with the network communication of the target address.
· Confirm that the package that should be blocked (rejected) is blocked. For example, if all UDP packets are set to be blocked, they have to confirm that there is no UDP.
The package passed. There is also a package confirmed to be passed or detached (allowed) by and disengaged. You can use the firewall log and scan
The analysis of these experiments is obtained.
• Scan those ports that are allowed with the rejected port, see if your firewall system is expected like you set up.
· Check the logging rules in the package filter rules, test whether the log function can work like expected in all network communications.
· Tests if there is a specific notification signal destination (such as firewall system administrator) when there is a predetermined alert in all network communications.
Action (page display with email notifications).
The above steps require at least two people step-by-step planning and implementation: initially responsible for the implementation of the entire project, including routing configuration, full filtering
Rules, log options, alert options, and other individuals can be responsible for project recovery work, identify the work program for each part, and negotiate the network
Whether the implementation of topology and security strategies is appropriate.
"Test firewall system in your implementation environment"
In this step you must evolve the environment from a single-level architecture (Figure 8-2 "Single Layer Firewall Architecture) into a multi-level architecture (Figure 8-3" Multiple Layer FireWall Architecture).
This step also needs you to set a network topology environment with one or more private networks and public networks. The public is mainly defined as an inner network.
Rows such as WWW (HTTP), FTP, Email (SMTP), DNS responds, sometimes provide, such as SNMP, file access, login to the intranet
Waiting for the service. Your host in the public network can also be described as DMZ (non-military zone). In the internal network, it is defined as a workstation of each user of the intranet. detailed
The thin chart can look at the picture 8-4 "Production Environment".
The steps to test should follow:
· Connect your firewall system to the topology of the inside and outside.
• Set the routing configuration of the internal and external network host to communicate through the firewall system. The choice of this step is built in a service-by
-service, for example, a web server in the public network is likely to access a text on a host in a private network.
Part. There are also web, document access, DNS, Mail, remote login details, can refer to Figure 8-4 "Product) around this type of service.
Ion environment.
· Test the firewall system to record 'enter' or 'outn' network communication. You can use the scanner to confirm one with the network sniffer
This is the point.
· Confirm that the package that should be blocked (rejected) is blocked. For example, if all UDP packets are set to be blocked, they have to confirm that there is no UDP.
The package passed. There is also a package confirmed to be passed or detached (allowed) by and disengaged. You can use the firewall log and scan
The analysis of these experiments is obtained.
· Carefully scan all hosts (including firewall systems) in your network. Check if your scanned package is blocked, thus confirming that you can't
Any data information is obtained. Try using a specific 'authentication port' (such as a 20-port using FTP) to send a package to scan the survival of each port.
The situation is to see if this is unable to leave the rules limit of the firewall.
· You can install intrusion test systems in your virtual network environment or real network environment, help you understand and test your pack filtering rules.
Whether you can protect your system and network against existing attack behavior. To do this, you will need to run this type on basic planning.
And regularly analyze the results. Of course, you can postpone this step to postpone the entire new firewall system after you completely configure it.
· Check the logging rules in the package filter rules, test whether the log function can work like expected in all network communications.
· Tests if there is a specific notification signal destination (such as firewall system administrator) when there is a predetermined alert in all network communications.
Action (page display with email notifications).
You can't put the work of the test routing function after connecting to the firewall system to your external network interface [Please see "9. Install the firewall
SYSTEM. "
http://www.cert.org/security-improvement/practices/p061.html) and "10. Phase the Firew-
All System Into Operation. "
http://www.cert.org/security-improvement/practices/p063.html)]. most
After that, you should first install the new firewall system in the intranet and configure it, and then connect the external network interface. In order to reduce the final stage test
The risk, the administrator can connect a small number of machines in the inner network (main management machine group and firewall system), and gradually increase the internal network when the test passes
Machine number.
"Select Content Features of the Test Log File"
When the log file is stored in a space, you need to set the firewall system self-response strategy. There are several related options below:
· The firewall system closes all related external network connections.
· Continue work, new logs are written in the oldest log space.
· Continue to work, but do not make any logging.
The first choice is the safest but not allowed to use on the firewall system. You can try the operational state of the analog firewall system when the log space is all occupied, see if you can reach the expected results you choose.
Select the appropriate log content option with the test, these options include:
· The path to the log file (such as a reservoir of a firewall local or remote machine)
· The archive time period of the log file
· Clear time period for log files
"Test firewall system"
Each associated fault should write to the test report (see the first step of the entire test process), trying to perform all possible
Specific situation and test the corresponding soothing strategy and evaluating the damage index of its impact.
Scanning defect
Use a series of defects (vulnerabilities, etc.) detection tools to scan your firewall system to see if there is a type of defects that have been discovered.
If the detection tool detects a patch with such defects, please install it and re-scan operation, which can confirm that the defect has been eliminated.
"Design preliminary penetration test environment"
In the case of normal operation, a specific test set is selected for penetration testing. These needs references include the access packet
It has been routed, filtered, recorded, and some special services (WWW, Email, FTP, etc.) can also be performed in the expected
deal with.
Once you need to join the new firewall system to join the normal working environment, you can choose to use a series of tests before changing the network status.
Whether the change will have a negative impact on normal work.
"Prepare system put into use"
You must establish and record a set of 'password' communication mechanisms or other safety reference methods so that you can complete the entire firewall system.
Safety communication and management with firewall systems. Check related information to see Detecting Signs Of Intrusion [Allen 00], specific
Practice can be referred to "Identify Data That Characterize Systems and Aid in Detecting Signs of Suspicious
"."
You must make a backup of a configuration option list when you complete the test process. View related information You can see Securing Desktop Workstations
[Simmel 99],, specific practices can refer to "Configure Computers for File Backups.".
"Prepare for monitoring tasks"
The comprehensive index, throughput, and firewall system monitoring the network are to ensure that you have properly configured security policies and these security policies are actually executed.
The only way.
Make sure your security policies, programs, tools, etc. Resources are in the necessary location so that you can monitor your network and machine groups, including your defense.
Firewall system.
***** Policy notes *****
Safety test behavior such as firewall / system / network in your organization / network should follow:
· The test firewall system must be carried out in an environment you can monitor.
· The firewall system should be re-permeated during each appearance or structure change.
· Regular upgrade penetration test components are used to test the configuration of the firewall system.
· Regularly upgrade the various applications, operating systems, common components and hardware in the maintenance area.
· Monitor all networks and systems, including your firewall system, which is very necessary.
-------------------------------------------------- -------------------------------------------------
"footnote"
1 Some tools mentioned herein can be in "Identify Tools That Aid in Detecting Signs of Intrusion
"One article found in Coast Web Site.
2NFR can be viewed
http://www.nfr.com/.
3Shadow is the intrusion test system developed by U.S. Navy (R), and its related information can be
Http://www.sans.org/ found.