Design And Implementation Of Firewall Security Testing System

In recent years,the rapid development of the Internet has greatly improved people's lives.However,various cyber-security incidents have also come one after another,posing a serious security threat to individuals,society and even the country.The firewall is the first barrier to shield external attacks.If the firewall is infiltrated by attackers,the internal network can not be secured.According to statistics,from 2014 to 2016,the total number of vulnerabilities exposed by the Cisco ASA Series firewalls has reached more than 40,indicating that the firewall itself is facing a serious security threat.Therefore,in order to protect the internal network,it is necessary to conduct security testing on the firewall.In view of the above requirements,this paper designs and implements a firewall security test system.With the "Security testing system for firewalls",firewalls are tested from two aspects:vulnerability verifying and protocol fuzzing.The main research content is:According to the mainstream firewall and the target protocol vulnerability information in the past five years,the paper designs a vulnerability database.Then,the overall framework of the firewall security testing system is designed and implemented.The design of the target system scanning module,the vulnerability database module,the known vulnerability verification module,the protocol fuzzing test module and the result analysis module in the framework are described in detail.Among them,the protocol fuzzing test technology is the core technology of this paper.By analyzing the limitations of the traditional fuzzing test technology in the construction of test cases and the testing of stateful protocols,the paper designs a protocol-based fuzzy test framework for firewalls called FPFuzzer.FPFuzzer analyzes the history vulnerability information so that make the construction of test cases more effective.At the same time,FPFuzzer designs a module to manage the testing path.The test cases of all the requests will be tested and logic problems in protocol communication will be detected through a mutated session flow.In addition,the exception-monitoring module designed in the FPFuzzer real-time monitors the target firewall and accurately locates test cases that trigger abnormalities.Finally,conducting security testing on the Cisco firewall through the "firewall security test system".The test system verified 4 known vulnerabilities of the target firewall successfully and discovered two security problems that the target firewall has when dealing with the SNMP protocol and the IKE protocol through the protocol fuzzing.The verification results prove that the system is easy to use and has good scalability and usability.