Firewalls Penetration Testing for a US Consumer Reporting Agency
The Customer is a US licensed consumer reporting agency. They are a nationwide provider of pre-employment screening services, including criminal records, and credit history check.
The Customer had two IP addresses with outward-facing hardware firewalls. The Customer turned to ScienceSoft as a penetration testing provider to check the security level of the firewalls’ configuration and find all the potential vulnerabilities.
ScienceSoft’s security testing team performed penetration testing of the Customer’s firewalls according to the black box model (simulating the actions of a real attacker with limited knowledge of the network). The security check was performed based on the Open Web Application Security Project (OWASP) Top 10 methodology.
The security engineers’ main tasks were the following:
- Bypassing the firewalls.
- Attempting to identify the services running behind the firewalls.
ScienceSoft’s security testing team identified the types of firewall hardware the Customer had with the accuracy of 90% and managed to bypass them. No vulnerabilities were revealed by ScienceSoft’s security engineers in the course of penetration testing.
The security engineers detected several Transmission Control Protocol (TCP) ports. Nevertheless, the Customer’s firewalls ensured a sufficient level of security not to let the security engineers accurately identify the particular types of services running behind the firewalls.
The report provided by ScienceSoft’s security testing team to the Customer contained the list of detected TCP ports, as well as the characteristics of how the Customer’s firewalls behaved during penetration testing.
ScienceSoft’s security testing team provided the Customer with the evaluation of the security level of their hardware firewalls as “high”. The Customer got the detailed description of what was done in the course of black box penetration testing. The security engineers also provided the Customer with the characteristics of the ways the tested firewalls behaved.
Technologies and Tools
Metasploit, Nessus, Nmap, Tor