All companies on the Internet have a firewall, even an older filtering firewall. here is a simplistic diagram of Internet – Modem – Firewall – Local Switch – Computers on network.
Do you know what your firewall looks like from the Internet? When a hacker looks at your network how does your firewall actually look like?
Should you use the same people that are running your computers and network to check your firewall? Isn’t this a conflict of interest?
Is it even necessary to test your firewall? Your IT is outsourced so why do anything else? Can’t you trust IT with the current people that run it?
What I want to do now is make 2 lists (feel free to contact me and give me more reasons for each list):
List A. Yes You need to test – Why?
PCI compliance says you should test firewall to see if it has vulnerabilities.
If the firewall was misconfigured you can find problems
If the firewall has a problem unknown to IT support can find the problem
If we get breached then the brand will take a hit
The support personnel doing the firewall support should not test their own configurations
Do you have a risk management process?
List B. No need for testing
We outsource our IT if there is a breach they will take blame
We trust our IT support personnel implicitly
We don’t understand what could possible be wrong with our network firewall as it is working
No one has told us there is a problem
We don’t need to focus on security there is nothing here for hackers to steal
If the “Customer Needs” are a secure computer environment I.e. when I use computer I expect it to work correctly
“Model the System” is your computer environment
“Product and Process” is using computers while being secure
“Re-evaluate” means to check the computer environment (is it secure?)
Now in this feedback loop re-evaluate means test the firewall.
So what does firewall walking – firewalk mean?
http://www.giac.org/paper/gsec/312/firewalk-attackers-firewall/100588
is an excellent paper to discuss firewalking
It is the process of finding out ports open on the firewall, so that one can know if there are any potential weaknesses.
There are tools that perform firewalking, such as nmap script and hping.
These tools are free, oh and do you think these guys check for permissions before they hack?
Contact Us to discuss firewalking or other security policy questions