Firewalls are a main line of defense against all types of network invaders, yet even after years of research and experience, many organizations still make configuration mistakes that leave their networks vulnerable to data theft, sabotage, and other types of mayhem.
Here's a rundown of five unsound firewall practices that should be avoided at all cost.
1. Failing to properly configure and orchestrate firewalls to work with an increasingly cloud-based security infrastructure
The network perimeter has all but disappeared and firewalls today are now merely one component in a distributed security ecosystem, observed Stefan Schachinger, senior consulting engineer at Barracuda Networks, a networking, security and storage products provider.
Organizations connecting data centers with branch locations, mobile workers, and maintenance personnel require continuous remote access. Meanwhile, applications and data resources are quickly moving to IaaS and SaaS platforms. "The majority of companies already are, or are in the process of, transitioning to a hybrid cloud environment," Schachinger noted. Protecting such infrastructures requires more than a simple firewall. "Today's evolving and distributed environments require a layered defense-in-depth approach where firewalls work in concert with the rest of the security ecosystem."
2. Misapplying port forwarding rules for remote access
It's never a good idea to use a port forwarding rule to accomplish remote access to a LAN side-machine without first restricting ports or source IP addresses. "This is a common mistake since it's the easiest way to set up remote access," said Jay Akin, CEO of Mushroom Networks, a developer of advanced SD-WAN appliances incorporating firewall and other security attributes.
Remote access via careless port forwarding significantly increases the risk of security breaches. "If the local 'trusted' device can be reached and hacked by unauthorized entities through this security hole, the so-called trusted device that is in the LAN segment of the network can be further exploited by the hacker to attack other devices or assets that the trusted device has access to," Akin explained.
3. Neglecting to inventory specific, legitimate access needs
To ensure minimal service interruptions, many organizations launch their firewall configuration with a broad "allow" policy. Then, bit-by-bit over time, they tighten their access policy as the need arises. That's a bad idea. "By not carefully defining access needs from the onset ... the organization is vulnerable to malicious attacks for a longer period of time," warned Lenny Mansilla, senior vice president of information security and support at Netsurion, a managed network security provider.
Instead of starting with an open policy that's slowly tightened down, Mansilla suggested doing the opposite. Inventory the critical applications and services the organization absolutely needs to support reliable day-to-day operations, then apply a firewall policy that accommodates specific sites, using source IP, destination IP, and port addresses whenever possible.
4. Failing to configure the firewall to egress-filter outgoing traffic to the Internet
Most administrators have at least a fundamental understanding of how firewalls improve security via ingress filtering. The approach prevents incoming, Internet-based connections from reaching internal network services that unauthorized external users should never have access to, explained Corey Nachreiner, CTO of WatchGuard Technologies, a network security software, and services provider. Yet relatively few administrators bother to take advantage of the security benefits provided by egress filtering—ingress filtering's opposite companion—which limits the types of network connections internal users can make to the Internet.
Nachreiner noted that most of the firewall configurations he's seen have a blanket outgoing policy that essentially allows internal users to do just about anything they want to online. If you’re not utilizing egress filtering, you’re missing out on a host of security benefits that your firewall can provide, leaving your overall security posture at a significant disadvantage."
5. Believing that a well-configured firewall is all that's needed to ensure complete network security
As attackers grow craftier, edge protection is being pushed to its limits. The bad guys can now target enterprise Wi-Fi networks, compromise routers, launch phishing campaigns, and even construct API gateway requests to pass scripting attacks to backends. Once inside the network, attackers can expand their reach to take advantage of internal systems built with an edge-only security mentality.
Dmitry Sotnikov, vice president of cloud platforms at 42Crunch, a network security platform provider, recommended adopting a zero-trust approach. "Everything can get compromised: your mobile applications, consumer and employee devices, [and] internal networks," he said. Design network security in layers, with the firewall serving as a key, but not the only, protection. "Lock-down each layer to the bare minimum level of communications required."
In-house-developed security measures should follow a DevSecOps approach. "Security for your APIs, applications, integration projects and systems need to start with the design phase," Sotnikov recommended. "On each stage of the lifecycle—design, development, testing, runtime—security checks need to be automatically run to ensure that any component or system is kept secure, even as they evolve and change."