Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
8 août 2013 4 08 /08 /août /2013 13:40

We'll see a few methods of Firewall Testing, with a special focus over IPv6. We see too some considerations over Edge Network design in the perspective of Testing / Monitoring and Security.

 

 

Simple Firewall Testing

 

A basic way of performing Firewall Testing is to have one PC perform a ZENMAP/NMAP network scan, and the other PC a Wireshark Network Monitoring in promoscious mode. It is easy to see which packets managed to pass the Firewall :

 

 

S1a.gif  

 

The first scan is directed toward PC2. This is a focused scan.

The second scan sweeps the first IP addresses of the PC2 subnet ( hosts 0 to 2FF = 768 hosts ). This is a mild-focused scan.

There is no point scanning the whole subnet, due to the scope of an IPv6 subnet ( 2^64 = 16 billion billion hosts ).

 

The use of filters in Wireshark eases the monitoring task. Here are the two most important filters :

 

ipv6                                    Displays only IPv6 Traffic :

 

S1e.gif

 

ipv6.src == [IP]              Displays only the IPv6 Traffic whose source is [IP]           ( [IP] is PC1 IP here ) :

 

S1f.gif

 

We can now check if any packet that isn't allowed to manages to pass the firewall

 

Inbound Firewall Testing

 

To test the Edge Network Firewall, an outside scan is needed, as we can't place our scanner between the CPE and the Phone plug/Optical plug :

 

 

Some Tunnel Brokers do allow their registred custommers to scan their own subnet from the outside. Hurricane Electric, as an exemple, does provide an outside NMAP web interface to their registered IPv6 tunnel users.

 

S1b.gif

 

 

 

Internet Gateway/Firewall Decoupling

 

 

A better network architecture security-wise is to separate the Internet Gateway ( ie CPE modem ) role and the Firewall role. Doing so, we have full control over the Firewall model, functionnalities, settings. Further more, we can insert ourselves between the CPE and the Firewall, for intensive testings :

 

S1c.gif

 

 

Here is the a full network map, with Inner/Edge Networks and testing/monitoring spot :

 

S1d.gif

 

Please note that beside a perfect testing point, we did created a great monitoring point too.

 

 

 

Additional things to test

 

There are more things to check beside simple firewall pass-through :

 

. Ingress / Egress filtering

. Dos / DDoS resistance

. UPnP behaviour / disabling

. WPS behaviour / disabling

 

Partager cet article

Repost 0
Published by computer outlines - dans IPv6
commenter cet article

commentaires

Data Cabling Installers 14/09/2016 09:04

High Level Security Systems installed by IT Risk Managers LLC features full line of Cisco IT Support, Computer Support and Service, Door access control system and Data cabling solutions.

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens