How to conduct a firewall security test using Nmap

Open source security tool Nmap can do more than map a network and examine what information it reveals to a potential attacker. This tip explains how value-added resellers (VARs) and consultants can use

    Requires Free Membership to View

Nmap as part of a firewall security test.

Nmap: Firewall configuration testing
One of the best ways to understand how your customer's firewall handles uninvited traffic is to verify that its filters and rules are working as anticipated. For example, one mistake many administrators make when creating rules for allowing traffic through their firewall is to trust traffic based simply on its source port number, such as DNS replies from port 53 or FTP from port 20. To test whether your customer's firewall allows all traffic through on a particular port you can use most of Nmap's TCP scans, including the SYN scan, with the spoof source port number option (--source-port or abbreviated just to –g). Simply provide a port number, and Nmap will send packets from that port where possible. For example, the following command will run a FIN scan using a spoofed source port number of 25 (SMTP) saving the output to file firewallreport.txt.

nmap -sF -g 25 -oN firewallreport.txt www.yourorg.com

It's also worthwhile to test the firewall's ability to cope with fragmented traffic. Attackers often split up the TCP header over several packets to make it harder for packet filters and intrusion detection systems to detect an attack. While fragmented packets won't get past packet filters and firewalls that queue all IP fragments, many devices have queuing disabled by default to avoid a drop in performance. Just add the -f option to set a scan to send fragmented IP packets.

Read more on how to conduct a firewall security test using Nmap.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book
IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

This tip originally appeared on SearchSecurity.com.

This was first published in December 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.