Firewall Auditing
Complex firewall rules and configurations create additional challenges for the security team. Does the firewall allow traffic to flow normally to the expected IP addresses? Which ports are open, and which are filtered? To answer these questions, this example will perform a firewall port analysis to show which ports appear open to the outside world.

At its most basic level, a firewall needs to filter or pass network traffic. Firewalls can range from simple packet filters to complex proxy servers. Some firewalls pass IP traffic without modification, and others provide a translation between internal IP addresses and a single external address.

The nmap ACK scan can determine if a packet is being filtered by the firewall or if the packet is passing through unfiltered. The ACK scan doesn't identify open ports, but it can help determine if frames are being filtered.

Firewall Auditing Details
  • Nmap Ping Type: Most firewalls should have ICMP filtering enabled, so only half of the normal nmap ping will be successful. Nmap's ICMP ping should fail, but the default ACK ping (-PA80) will often be successful. Since this scan is usually directed towards a known IP address, it's not necessary to ping the remote device at all (-P0)!

  • Nmap Scan Type: The TCP ACK scan (-sA) can describe a filtered or unfiltered port to a remote device without connecting to an application session. This scan type is useful for a firewall audit, although a TCP connect scan (-sT) may be required if the firewall is stateful and relies on an active session to pass network traffic.

  • Don't Randomize Ports: During this audit, it's recommended that a protocol analyzer capture the nmap traffic. If a port is found to be unfiltered, the trace file can confirm the traffic flow and provide a comparison if changes are made to the firewall rules. To make it easier to follow the traffic flow in the protocol decode, the nmap scan should be configured to scan the remote device ports in numerical order (-r), and not the default random order.

  • Reverse DNS: Since the nmap scan will be run on a well-known host, it will not be necessary to do a reverse DNS resolution (-n) on the remote device.

  • Fragmented Frames: Some additional firewall testing might include the fragmentation of frames (-f, -ff) to test the ability of the packet filter to allow or filter fragmented traffic.

The firewall audit nmap command line would look like this:
# nmap -vv –P0 –sA –iL input.lst --excludefile banned.lst –r -n -oA firewall
Once nmap identifies the unfiltered ports, the firewall may be modified to "tighten" or "loosen" the available servers or services. After each modification, the nmap audit can be used to determine if the expected changes were successful. This audit can also be run periodically to determine if the firewall configuration has been modified since the last audit.