Firewalls are another protective device for networks that stand in the way of a penetration tester or attacker. Firewalls represent a barrier or logical delineation between two zones or areas of trust. In its simplest form an implementation of a firewall represents the barrier between a private and a public network.

When discussing firewalls, it is important to understand how they work and their placement on a network. A firewall is a collection of programs and services located at the choke point (or the location where traffic enters and exits the network). It is designed to filter all traffic flowing in and out and determine if that traffic should be allowed to continue. In many cases the firewall is placed in such a way as to be distanced from important resources so that in the case of compromise key resources are not adversely impacted. If enough care and planning are taken along with a healthy dose of testing, only traffic that is explicitly allowed to pass will be able to do so, with all other traffic, dropped at the firewall.

Some details about firewalls to be aware of:

  • Firewalls are a form of IDS since all traffic can be monitored and logged when it crosses the firewall.
  • A firewall’s configuration is mandated by a company’s own security policy and will change to keep pace with the goals of the organization.
  • Firewalls are typically configured to allow only specific kinds of traffic such as e-mail protocols, web protocols, or remote access protocols.
  • In some cases, a firewall may also act as a form of phone tap, allowing for the identification of attempts to dial into the network.
  • A firewall uses rules that determine how traffic will be handled. Rules exist for traffic entering and exiting the network, and it is possible for traffic going one way not to be allowed to go the other.
  • For traffic that passes the firewall, the device will also act as a router, helping guide traffic flowing between networks.
  • Firewalls can filter traffic based on a multitude of criteria, including destination, origin, protocol, content, or application.
  • In the event that traffic of a malicious nature tries to pass the firewall, an alarm can be configured that will alert a system administrator or other party as needed.