One good decision for testing a firewall is by hiring a third party penetration tester, which likewise test the whole network system for vulnerabilities. It is best for company to establish a contract with the penetration tester for data protection and likewise for the misunderstood violation of law that may be committed by the penetration tester. Penetration testing should undergo into the two types of penetration, namely the black box penetration testing and the white box penetration testing. In the black box penetration testing, we are simulating a real hacking, wherein only the IP address of the company is known. On the other hand, white box penetration provides tester are provided valuable information of the system like operation system used, the type of network used, the server configuration details, and the firewall itself. This will best bring up the different vulnerabilities of the company's network system.
In the case where we are unable to hire a third party penetration tester, we can however do it on our own. One thing we need to examine in our system is to know what are the open ports that the firewall currently allows. We can use nmap to scan different open ports in our system or use other third party or commercial or freeware port scanner. This scanner will determine open port(s) that hackers may used for intruding the system. Thus, we may know which port(s) are suppose to be open or those that need to block (some ports are need to be open since it is used by the system, i.e. port 80 for web server).
We can also used traceroute to determine if a certain unit within the network is traceable outside the firewall of the whole network system. This should not allow intruders to know something (i.e. IP address) about any of the unit inside the network nor that packets are roaming around our systems. The firewall should serve as a front-end security in order to provide "invisibility" to all the units within its perimeter.
The next idea is to ping each unit in the network system. We may used third party ping application for large scale ping requests like MegaPing. The idea of the ping is to determine if an IP address it active, or to say that a unit that has such IP address is visible or existing. Firewall should also provide a security measures regarding ping, of whether to allow or not such request to be process by the system firewall. Pinging are sometimes used by hackers in order to randomly know if a unit is existing, and if it does, attacks preside. Likewise, firewall should also not allow ping request from outside the perimeter to a unit inside the network. Units inside are invisible to units outside the firewall perimeter.
To ensure the continuing effectiveness of the firewall, a regular random firewall testing should be done since attacking patterns change constantly. In addition, the test must first be authorized and the administrators not notified to ensure normal operations continue at the time of the test. This is to ensure that the security flaws in the existing configuration be identified.
Packet filter is the most simple type of firewall that operates on network layer of OSI model. Packet filtering works on a set of rules stored as rulebase, which determines which packet are to allowed within the session, likewise which address are allowed for the communication process. If by default, a rulebase does not