Common Firewall Misconfigurations

Fence in Country Side
May 3, 2024
Ryan Stephens

Many times, firewalls are seen as the silver bullet for border security in networks, but this simply isn’t the case.  A traditional firewall has been replaced, but even the best UTM devices require assistance from other tools to best protect all areas of todays ever expanding global borders.  But at the firewall/UTM level, these are some areas to double check to make sure your front door isn’t unlocked.  These are some common firewall misconfigurations that you will want to avoid when setting up firewalls or UTMs.

  • Web facing administration

While this can be handy, history has shown us that it is not a good idea.  To start with, weak passwords make for easy access to anyone on the web.  But what if you have a strong password?  These devices are not immune to exploit code and unfortunately not always patched immediately when security updates are released.  Some exploits on devices can bypass authentication completely or leak configuration information including passwords, open ports, etc.

Instead, have another layer in place such as VPN to allow admins to connect internally while away.

  • Port forward chaos

Some circumstances require access to internal resources externally and that is fine.  But, make sure this is setup in a way that only explicit ports or services are allowed to pass and not a blanket policy allowing everything.  Too often ANY rules are created passing all traffic to an internal resource allowing a multitude of problems.

Instead, limit by port numbers or service.  In addition to this, ensure the traffic is still filtered with UTM services as these can often detect exploits attempting to pass over these allowed ports.

  • Know your data and know its paths

Our networks are growing at a rapid pace.  With cloud adoption growing more and more year after year, integrations and connections to Azure, AWS, and other providers are becoming the norm.  A common misconception with many of these services is that they are secured for you.  Many large data breaches came from these remote resources because inadequate security was applied to them.  Firewalls are still needed for many cloud sites as well as system level security for these.  Know and evaluate your security posture at hosted sites as well as internally.

After remote sites are secured, what traffic flows between these and your users?  Restrict these connections based on what is needed and by site.  Just as with port forwarding, limit only to the services required and limit source and destination to only those required, not the entire web.

  • Incoming, check. Outgoing, open?

Everyone who has installed a firewall understands its purpose is to restrict what is outside from coming inside.  However, not everyone considers restricting what leaves.  Malware when installed (via drive bys, spam, etc.) calls out to its command and control server.  This bypasses stateful firewalls because the connection is forming inside the network.

By finding what services are needed to call out, you can limit the foot print of outgoing traffic.  Allow a UTM device to also scan this traffic to make sure it isn’t going to known malicious networks.

  • Logs, and lots of them.

Log as much as you can.  Incoming connections, denied connections, outgoing connections, authentication events, the list goes on.  Logs are great for troubleshooting issues.  But, just as important, when an event occurs, a paper trail is crucial.  You simply cannot trace a leak or how much was exposed if you have no record of traffic.  Any logs are only helpful if they are reviewed.  You can have millions of records of logs entries, but with no way to harvest metrics and quickly analyze them they will never get reviewed.  Without review, incidents are not found timely and issues that could have been rectified go on impacting business.

Have a SIEM solution to assist with making heads or tails of your firewall, endpoint, authentication, etc. logs.  This will make review much easier allowing it to be done more frequently and efficiently to ensure everything that is happening, is expected.

These are some of the most common issues that arise with perimeter security.  Every organization is different with different needs.  However, virtually all businesses must meet these items to ensure their safety and for specific industries, meet their compliance needs.  This is not an exhaustive list by any means for compliance or security best practice.  But, at the firewall/UTM level these items are crucial for aiding in your security posture.