Firewalls and Penetration Testing

Firewalls and penetration testing are two essential components of network security. Firewalls act as a barrier between trusted and untrusted networks, while penetration testing proactively identifies vulnerabilities before attackers can exploit them. This lesson covers both topics in the depth required for GCSE Computer Science.

---

What Is a Firewall?

A firewall is a security device (hardware, software or both) that monitors and controls incoming and outgoing network traffic based on a set of predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks (such as the internet).

How a Firewall Works

1. Every piece of data travelling across a network is broken into packets
2. Each packet has a header containing information such as the source IP address, destination IP address, port number and protocol
3. The firewall examines each packet against its rule set
4. Packets that match an allow rule are permitted through
5. Packets that match a deny rule are blocked (dropped)
6. Packets that match no rule are handled by the default policy (usually deny)

Firewall Rules Example

Rule	Source IP	Destination Port	Protocol	Action
1	Any	80	TCP (HTTP)	Allow
2	Any	443	TCP (HTTPS)	Allow
3	Any	22	TCP (SSH)	Deny
4	192.168.1.0/24	3389	TCP (RDP)	Allow
Default	Any	Any	Any	Deny

In this example:

• Web traffic (HTTP and HTTPS) is allowed from any source
• SSH connections are blocked from all sources
• Remote Desktop (RDP) is only allowed from the internal network (192.168.1.x)
• All other traffic is denied by default

---

Types of Firewall

Type	How It Works	Advantages	Limitations
Packet filtering	Examines packet headers (IP, port, protocol) against rules	Fast, low overhead	Cannot inspect packet contents; limited context
Stateful inspection	Tracks the state of active connections and makes decisions based on context	More intelligent than packet filtering; can detect forged packets	More resource-intensive
Application layer (proxy)	Inspects the actual content of packets at the application layer	Can detect malicious content within allowed traffic	Slowest; may create bottlenecks
Hardware firewall	A dedicated physical device placed at the network boundary	Protects the entire network; high performance	Expensive; requires specialist configuration
Software firewall	A program installed on individual computers	Protects each device; can be customised per user	Must be installed and maintained on every device

---

Firewall Advantages and Limitations

Advantages

• Blocks unauthorised access — prevents external attackers from reaching internal systems
• Controls outbound traffic — can prevent malware from "phoning home" to an attacker's server
• Logging — records all allowed and blocked traffic, useful for security monitoring
• Network segmentation — can be used to create separate zones within a network (e.g. separating student and staff networks in a school)

Limitations

• Cannot prevent all attacks — if malicious traffic is disguised as legitimate (e.g. through an allowed port), a basic firewall will not detect it
• Cannot prevent social engineering — a firewall cannot stop an employee from voluntarily sending data to an attacker
• Misconfiguration — poorly written rules can block legitimate traffic or allow malicious traffic
• Encrypted traffic — some firewalls cannot inspect encrypted (HTTPS) traffic without additional configuration
• Internal threats — firewalls primarily protect against external threats; they are less effective against attacks from within the network

---

What Is Penetration Testing?

Penetration testing (often called "pen testing") is the practice of deliberately attempting to break into an organisation's computer systems, networks and applications with authorisation in order to find security vulnerabilities before real attackers do.

Penetration testers are also known as ethical hackers or white-hat hackers.

Why Organisations Use Penetration Testing

• Identifies vulnerabilities before they are exploited by malicious attackers
• Tests defences — reveals whether firewalls, intrusion detection systems and access controls are working as intended
• Regulatory compliance — some regulations (e.g. PCI DSS for payment card data) require regular pen testing
• Provides evidence — a pen test report gives management clear evidence of the organisation's security posture
• Prioritises remediation — vulnerabilities are ranked by severity so the organisation can fix the most critical issues first

---

The Penetration Testing Process

Stage	Description
1. Planning and scoping	Define the scope of the test: which systems, networks and applications will be tested? What methods are allowed?
2. Reconnaissance	Gather information about the target (e.g. IP addresses, open ports, software versions) using scanning tools
3. Vulnerability assessment	Identify potential weaknesses using automated scanning tools and manual analysis
4. Exploitation	Attempt to exploit the identified vulnerabilities to gain unauthorised access (within the agreed scope)
5. Reporting	Document all findings, including the vulnerabilities discovered, how they were exploited and recommendations for remediation
6. Remediation and re-testing	The organisation fixes the vulnerabilities, and the tester verifies the fixes

---

Types of Penetration Test

Type	Description	Realism
Black box	The tester has no prior knowledge of the system — they approach it like a real external attacker	Most realistic
White box	The tester has full knowledge of the system (source code, network diagrams, credentials)	Most thorough
Grey box	The tester has partial knowledge (e.g. user-level credentials but not admin access)	Balance of realism and thoroughness

---

Penetration Testing vs Vulnerability Scanning

Feature	Penetration Testing	Vulnerability Scanning
Approach	Manual and automated; actively exploits vulnerabilities	Primarily automated; identifies but does not exploit vulnerabilities
Depth	Deep — tests whether vulnerabilities can actually be used	Shallow — reports potential vulnerabilities
Cost	Expensive (requires skilled professionals)	Relatively cheap (automated tools)
Frequency	Typically once or twice a year	Can be run weekly or daily
Output	Detailed report with exploitation evidence and remediation advice	List of vulnerabilities with severity ratings

---

Legal and Ethical Considerations

Penetration testing must always be:

• Authorised — the organisation must give written permission before any testing begins
• Scoped — clearly defined boundaries (which systems can be tested, during what hours)
• Documented — all activities must be recorded
• Responsible — testers must not cause unnecessary damage or access data beyond what is needed to demonstrate the vulnerability

Unauthorised penetration testing — even with good intentions — is illegal under the Computer Misuse Act 1990.

Exam Tip: If asked about the difference between a white-hat hacker and a black-hat hacker, emphasise authorisation. A white-hat hacker has explicit permission to test the system; a black-hat hacker does not.

---

Key Terms Summary