This content is part of the Essential Guide: Enterprise firewall protection: Where it stands, where it's headed
Problem solve Get help with specific problems with your technologies, process and projects.

Updating firewall policies with the frequency of firewall testing

Should firewall testing frequency be decided and documented when updating firewall policies? Expert Brad Casey discusses how often to test firewalls.

My company is currently updating its firewall policies (full disclosure: This hasn't been done in a while) and...

we're hung up on how often we should test the security of our firewall. Do you have any recommendations on how often firewall testing should occur?

Ask the Expert!

Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

Well, this is highly contingent upon what you mean by test. If you're testing whether your firewall is blocking or recording the types of traffic for which it is configured, perform the test when network traffic is at minimum activity. This way, you can throw whatever traffic you want at your network, and the logs will be easier to parse. Also, this allows you to send different types of traffic down range without interfering with legitimate network traffic.

If you want to test how your firewall functions under a full load, isolate the firewall from the rest of the network and utilize a network traffic generator to simulate a typical "day in the life" of the firewall. If a network traffic generator is not on hand, place the firewall in an operational environment, but gradually change the settings throughout a given time period. Record any behavioral changes that may occur with each rule change. If you decide to make a whole host of changes to your firewall policies simultaneously, too many variables will be inserted into an already fluid situation, thereby making configuration that much more difficult.

In terms of firewall testing frequency, I'm afraid this is also highly contingent on a few factors. Does your network serve a financial institution? If so, I would test your firewall daily, if feasible. If this is deemed impractical, then I would test it as often as possible. Does your firewall service a data center? Again, I would test it on a daily basis if at all possible. My approach may sound draconian, but many tests can be performed without adversely affecting your network or firewall performance. For example, is your firewall configured to block a certain domain? This is easy to simulate and even easier to detect from within the logs.

This was last published in April 2013

Dig Deeper on Information security policies, procedures and guidelines