In this post, we zoom in on the testing of the configuration (further: config) of firewalls. For a definition of firewall see “What is a firewall?”.
Thus, it is of the utmost importance that the firewall designer has
consulted the application, database and other involved parties to exactly know which ports need to be opened for which kind of traffic in which (part of the) network.
Suppose the following example. A web application INFRATEST (positioned in the demilitarized zone (DMZ) on two servers for load purposes) needs to communicate with a newly installed Postgres database (positioned in the company’s internal network). The database server (on server C) and web application server (on servers A and B) are set in separate parts of the network (and need to pass the internal firewall before communication can be established). The type of communication needs to be defined. This can be port 5432 (protocol tcp (commonly noted as tcp/5432)).
Then, this can be taken up in the internal firewall design document as follows:
- Source – Server A & B
- Destination – Server C
- Service – tcp/5432
This design document will constitute the test basis for the test engineer. A test scope and test cases can be derived from this document. Meticulously, determine what will be tested and what not.
The test engineer can then easily verify/test, by peeking into the firewall, whether the firewall rule is implemented. Be aware that a firewall can use objects instead of the real server names, as shown in the last rule of the image above.
Using the segregation method and equivalence partitioning, following test cases can be designed based on the design document
- Test the firewall for the following rule: source server A, destination server C, protocol tcp/5432 – expected result: rule is present in the internal firewall
- Test the firewall for the following rule: source server B, destination server C, protocol tcp/5432 – expected result: rule is present in the internal firewall
Or, if an object is used in the firewall
- Check the firewall object “server A & B” – expected result: the object only contains both server A and server B.
- Test the firewall for the following rule: source object server A & B, destination server C, protocol tcp/5432 – expected result: rule is present in the internal firewall.
On the other hand, it is also important to test negative cases (as equivalence partitioning states). So, when testing a firewall, the tests should confirm that only those channels, sources and destinations are opened that need to be open for the communication slots.