We'll see a few methods of Firewall Testing, with a special focus over IPv6. We see too some considerations over Edge Network design in the perspective of Testing / Monitoring and Security.
Simple Firewall Testing
A basic way of performing Firewall Testing is to have one PC perform a ZENMAP/NMAP network scan, and the other PC a Wireshark Network Monitoring in promoscious mode. It is easy to see which packets managed to pass the Firewall :
The first scan is directed toward PC2. This is a focused scan.
The second scan sweeps the first IP addresses of the PC2 subnet ( hosts 0 to 2FF = 768 hosts ). This is a mild-focused scan.
There is no point scanning the whole subnet, due to the scope of an IPv6 subnet ( 2^64 = 16 billion billion hosts ).
The use of filters in Wireshark eases the monitoring task. Here are the two most important filters :
ipv6 Displays only IPv6 Traffic :
ipv6.src == [IP] Displays only the IPv6 Traffic whose source is [IP] ( [IP] is PC1 IP here ) :
We can now check if any packet that isn't allowed to manages to pass the firewall
Inbound Firewall Testing
To test the Edge Network Firewall, an outside scan is needed, as we can't place our scanner between the CPE and the Phone plug/Optical plug :
Some Tunnel Brokers do allow their registred custommers to scan their own subnet from the outside. Hurricane Electric, as an exemple, does provide an outside NMAP web interface to their registered IPv6 tunnel users.
Internet Gateway/Firewall Decoupling
A better network architecture security-wise is to separate the Internet Gateway ( ie CPE modem ) role and the Firewall role. Doing so, we have full control over the Firewall model, functionnalities, settings. Further more, we can insert ourselves between the CPE and the Firewall, for intensive testings :
Here is the a full network map, with Inner/Edge Networks and testing/monitoring spot :
Please note that beside a perfect testing point, we did created a great monitoring point too.
Additional things to test
There are more things to check beside simple firewall pass-through :
. Ingress / Egress filtering
. Dos / DDoS resistance
. UPnP behaviour / disabling
. WPS behaviour / disabling