Australian Information Security Management Conference

Document Type

Conference Proceeding


School of Computer and Information Science, Edith Cowan University, Perth, Western Australia


5th Australian Information Security Management Conference, Edith Cowan University, Perth Western Australia, December 4th 2007.


This paper proposes an all encompassing test methodology for firewalls. It extends the life cycle model to revisit the major phases of the life cycle after a firewall is in service as foundations for the tests. The focus of the tests is to show that the firewall is, or isn’t, still fit for purpose. It also focuses on the traceability between business requirements through to policy, rule sets, physical design, implementation, egress and ingress testing, monitoring and auditing. The guidelines are provided by a Test and Evaluation Master Plan (TEMP). The methodology is very much process driven and in keeping with the Security Systems Engineering Capability Maturity Model (SSECMM). This provides multiple advantages, including the capture of configuration errors, results are measurable and repeatable, assurance is developed and it can be used as a roadmap for process improvement. Sample tests are provided in the paper, but act merely as a guideline. It would be expected that the test and evaluation master plan be tailored for any specific organisation.