How Does a Firewall Pentest Work?

A firewall is the first line of defense against cyberattacks on IT infrastructure. It must make it nearly impossible for attackers to execute exploits that compromise the security of a network.

A firewall pentest consists of 13 steps: locating the firewall, traceroute, port scanning, banner grabbing, access control enumeration, firewall architecture identification, firewall policy testing, firewalking, port redirection, internal and external testing, covert channel testing, HTTP tunneling, and identifying firewall-specific vulnerabilities.

What Is a Firewall?

A firewall is software that monitors incoming and outgoing network traffic. Based on predefined policies, rules, or an access control list (ACL), it filters and blocks all connections that violate these rules. The primary purpose of a firewall is to separate trusted networks from external networks or the internet.

To achieve this, a firewall is typically placed in the DMZ (Demilitarized Zone). Additional firewalls can be deployed in front of an organization's internal network or intranet -- or in front of SCADA systems (Supervisory Control and Data Acquisition) that control industrial facilities such as power plants.

What Is a Next Generation Firewall (NGFW)?

There are many types of firewalls, each with different capabilities. The most significant advancement in firewall technology is the introduction of Next Generation Firewalls (NGFW).

Traditional firewalls could not perform stateful packet inspection. They analyzed network traffic solely based on IP address and port number, without considering previous traffic that had passed through the firewall.

With the introduction of NGFW, dynamic packet filtering became a reality: all active connections can be monitored along with their respective states. This additional information feeds directly into access control decisions.

Firewall Policies

When deploying a firewall, policies and rules must be configured to ensure the security of the network perimeter. These rules determine which types of network traffic are blocked or allowed.

The defined policies can also be applied to additional firewalls across the entire network. Furthermore, role-based access control can be integrated via Active Directory, mapping all user roles and their permissions within the firewall.

Steps to Perform a Firewall Pentest

During a firewall penetration test, a specific firewall is located, analyzed, and deliberately attacked to reach the internal network. Typically, firewall testing is a core component of an external infrastructure pentest. It ranks among the most important network tests overall, as firewalls represent the first line of defense against external attacks.

Below are the steps that a comprehensive firewall penetration test should include.

Step 1: Locating the Firewall

Every firewall pentest begins with locating the firewall. Using packet-crafting software, the tester creates specific IP packets with UDP, TCP, or ICMP payloads.

The most common tools for this purpose are Hping and Nmap. Both offer similar functionality but differ in one key aspect: Nmap can scan entire IP address ranges, while Hping can only process one IP address at a time.

Depending on how stealthy the scan needs to be, Hping is the better choice to avoid detection by anomaly detection systems. Through repeated scanning, the list of allowed services on the firewall can be mapped out.

Step 2: Performing a Traceroute

Network reach can be determined by running a traceroute command against the previously identified firewall. This step also provides information about the path packets take between systems and identifies all routers and network devices involved.

Additionally, information about the devices filtering traffic and the protocols in use can be gathered.

Step 3: Port Scanning

The third step in the firewall pentest methodology is port scanning. The most widely used tool is Nmap, as it offers extensive customization options.

In this step, you will not only identify open ports on the firewall but also the services running on those ports. Nmap allows you to configure a scan that includes the desired scan type, specific options, timing, and much more. A guide to port scanning is available from Nmap.

Step 4: Banner Grabbing

By performing banner grabbing on the firewall, you obtain information about the firmware or software version in use. This information can then be used to identify known exploits that could potentially compromise the firewall.

Using Netcat, the penetration tester sends a connection request that returns the relevant version information.

Step 5: Access Control Enumeration

Every firewall uses access control lists (ACLs) to determine which traffic is allowed or blocked. The key indicator a pentester can evaluate when analyzing the ACL is the state of the ports on the firewall.

Step 6: Identifying the Firewall Architecture

Building on the previous step, the pentester sends crafted packets to the already identified firewall ports to obtain a complete overview of port states. By deliberately triggering responses on specific ports, the firewall's behavior can be determined and a mapping of open ports created. The firewall's responses also reveal whether a connection was rejected, interrupted, or silently dropped.

Step 7: Testing the Firewall Policy

Firewall policy testing can be performed in two ways, which are sometimes considered part of the internal infrastructure pentest:

• The penetration tester compares the exported firewall configuration against the expected baseline configuration to identify potential gaps.
• The tester performs targeted actions against the firewall to practically verify the expected configuration.

Step 8: Firewalking

Firewalking is a technique for mapping network devices behind a firewall. The network auditing tool Firewalk analyzes packets returned by the firewall using traceroute techniques. It identifies open ports by probing devices behind the firewall, thereby determining which traffic can pass through. A proven tool for this purpose is available on kali.org.

Step 9: Port Redirection

Testing for port redirection is an important step that can enable further compromise of the network. If a desired port is not directly accessible, port forwarding techniques can be used to bypass the access restriction.

If the tester manages to compromise a target system and bypass the firewall, they can install a port forwarding tool such as Fpipe or Datapipe to listen on specific ports.

Step 10: External and Internal Testing

External and internal penetration tests are not always required when testing a firewall, but they provide a more realistic picture of how an attacker might actually target your systems.

Step 11: Covert Channel Testing

A covert channel is a hidden communication link that enables attackers to operate undetected. Covert channels are typically used to conceal activities and exfiltrate sensitive data from an organization. They are established by installing a backdoor on a compromised system within the network.

Once the backdoor is installed, a reverse shell can be used to establish a connection to the attacker's external system. A commonly used tool for this purpose is the Metasploit hacking platform.

To test whether establishing a covert channel is feasible, the penetration tester proceeds as follows:

• Identify firewall rules using Firewalk.
• Attempt to reach systems behind the firewall.
• Analyze the responses of incoming packets.

Step 12: HTTP Tunneling

HTTP tunneling involves encapsulating traffic within the HTTP protocol. This technique is commonly used when access to a device behind a firewall or proxy is restricted.

In this scenario, the HTTPort tool can be used to send POST requests to the HTTP server by specifying the hostname, port number, and path. Since HTTPort is capable of bypassing HTTP proxies, the only remaining obstacle is the connection methods enabled on the proxy itself.

Step 13: Identifying Firewall-Specific Vulnerabilities

The most important measure to prevent vulnerabilities in your firewall is ensuring a correct configuration. Misconfigurations are the most common reason attackers succeed in penetrating a network.

In some cases, print or file sharing services remain active on certain ports, allowing attackers to bypass the firewall through this vector. Disabling unnecessary services and regularly reviewing the firewall configuration are therefore essential.

Conclusion

The primary goal of a firewall pentest is to prevent unauthorized access to the internal network from the internet. Depending on the type, the firewall is either a traditional stateless firewall or a Next Generation Firewall that tracks the state of all connections.

The success of a firewall pentest depends on several factors. Correctly configuring firewall policies and rules significantly reduces the attack surface and prevents most unauthorized connection attempts.

Using tools such as Nmap, Hping, and Netcat, the pentester gathers information about access controls and port states. Most decisions and actions during the test are based on these firewall responses.