My company is currently updating its firewall policies (full disclosure: This hasn't been done in a while) and we're hung up on how often we should test the security of our firewall. Do you have any recommendations on how often firewall testing should occur?
Ask the Expert!
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
Well, this is highly contingent upon what you mean by test. If you're testing whether your firewall is blocking or recording the types of traffic for which it is configured, perform the test when network traffic is at minimum activity. This way, you can throw whatever traffic you want at your network, and the logs will be easier to parse. Also, this allows you to send different types of traffic down range without interfering with legitimate network traffic.
If you want to test how your firewall functions under a full load, isolate the firewall from the rest of the network and utilize a network traffic generator to simulate a typical "day in the life" of the firewall. If a network traffic generator is not on hand, place the firewall in an operational environment, but gradually change the settings throughout a given time period. Record any behavioral changes that may occur with each rule change. If you decide to make a whole host of changes to your firewall policies simultaneously, too many variables will be inserted into an already fluid situation, thereby making configuration that much more difficult.
In terms of firewall testing frequency, I'm afraid this is also highly contingent on a few factors. Does your network serve a financial institution? If so, I would test your firewall daily, if feasible. If this is deemed impractical, then I would test it as often as possible. Does your firewall service a data center? Again, I would test it on a daily basis if at all possible. My approach may sound draconian, but many tests can be performed without adversely affecting your network or firewall performance. For example, is your firewall configured to block a certain domain? This is easy to simulate and even easier to detect from within the logs.
This was first published in April 2013