Pen testing a firewall is part of an external and internal pen test.
The external portion consists of evaluating the vulnerabilities, while the internal testing focuses on configuration.
Internal configuration reviews yield deeper data about the long term health of the network boundaries, while the external shows more obvious and easily impactful findings.
External Firewall Testing
An attacker’s goal is to bypass protection of the firewall. This can be through a zero-day or other vulnerabilities that exist on the firewall. In practice, these are quite uncommon but if they exist it can be devastating to a company.
More often than not, an attacker goes after firewall misconfigurations or weak administrative passwords.
Brute-forcing a firewall password would allow an attacker to have complete access to the internal network. As such we recommend a minimum of 24 character administrative passwords but the vendor maximum is best.
A misconfiguration can give the attacker an edge on intercepting communications and decrypting traffic or finding an open port on a server to scan.
Internal Firewall Testing
Testing the internal firewall focuses on the rules in place. A good configuration starts with a deny-all and then makes exceptions, also known as a white list.
This means that to allow it is to make a conscious decision.
Even with this recommendation, admins often forget to remove temporary changes or update rules. A pen test will review the configuration to find the way in from the outside.
Beyond this, it can include egress testing. Often forgotten during pen testing, egress testing attempts to find the ability to exfiltrate data.
The tester will see what ports are open and if there is any DLP solution in place.
They will also test to see if Tor and Onion routing are allowed. This will show the possibilities of an attacker stealing data if they managed to infiltrate the environment.
