[Talk] Penetration Testing: Firewall Checklist

[Anshul Gupta]

Hi,

I am in the process of preparing a framework/parameter list on which a
firewall would be tested. Here are some tests I can think of on which a
firewall should be tested:

1. Sustained TCP connections, throughput & number. Eg.FTP

2. Short-lived TCP connections, throughput, number,connection
establishment and tear-down time. Eg.SMTP/HTTP

3. Sustained UDP connections (although UDP is connectionless),
throughput & number. Eg. Streaming video/audio.

4. Short-lived UDP communication, number. Eg. DNS.

5. ICMP RTT at different load levels.

6. SYN Flood test

7. Connection establishment time wrt to number of rules on the firewall.

8. Filtering and fragmentation 
- Reaction of the firewall on receiving a TCP packet 
with the RST or ACK flag set.
- IP fragmentation re-assembly test.
- Overlap recognition

9. Are existing checksums for IP, TCP and UDP verified?

10. A portscan of the firewall IP. Of the servers behind the firewall.

11. Nessus tests on the firewall IP and the servers behind the firewall.

12. All the tests repeated with static NAT enabled.

13. All the tests repeated with IPSec.

14. Effect of logging on the these tests.

15. Attempt to reach denied ports behind the firewall when the firewall
is saturated. Or in the other words, test if the firewall turns blind
during a SYN Flood?

Can you think of more tests for stressing/penetrating the firewall.
Also, what methodology should be adopted to measure the various test
results?

Any help would be appreciated.

Regards, 
Anshul