Your network firewall serves as the first line of defense between your network and the untrusted Internet. The configuration of the firewall is equally as important as the firewall itself. And since networks evolve over time, you need to check the configuration on a regular basis and make changes as warranted.
The network firewall is your first line of defense against the bad guys. It sits between your network and the Internet.
Always ready, willing, and able.
Or is it?
Although the network firewall is often treated like a plug-and-play piece of hardware, it is anything but. Both new and old firewalls need proper care and feeding for them to perform as they are meant to. Firmware needs to be maintained, configurations backed up, and access rules kept up to date. The firewall security rules should be reviewed and tested on a regular basis to be sure they are performing as they should.
Maintaining a Firewall's Firmware
Like everything else on your network, your firewall is ultimately just another computer running software. No, it's not Windows (at least I hope not), but it has an operating system with millions of lines of code and hundreds of bugs waiting to be discovered and taken advantage of.
For firewalls, patching takes the form of a firmware upgrade. It replaces the firewall's old code with a newer, less vulnerable version.
Common bugs seen in firewall firmware include:
- "hidden" default passwords
- vulnerable admin interfaces
- flaws in the VPN code
Backing Up the Firewall's Configuration
Firewall configurations should be backed up on a regular basis. Backing up a firewall's configuration allows for:
Keeping the Firewall Security Rules Up to Date
For a business, it is not unusual to have ever changing network requirements. One day you may be spinning up a temporary SFTP server to transfer a file to a partner. The next you are moving your onsite webserver to the cloud.
Whatever the change may be, there is often a firewall rule adjustment that should be made. It is these adjustments that often go undone, creating gaps in your first line of defense.
So you have a firewall, or maybe even dozens of them. Each one of them has been out there for a year or more, managed by multiple people, and their rule sets are in various states of unknown.
An auditor is coming in to evaluate your security practices, and surely they will ask about what points of entry may exist from the Internet into your critical infrastructure.
What do you do now?
What you now want to do is to run an external scan. The scan can be a port scan, a vulnerability scan, or both.
1) Port Scans
The most common way to run a port scan uses a tool called Nmap, which is a free open-source network scanner capable of ping, arp, TCP, and UDP probes.
- Identify the external IP address or IP range for each of your sites.
- Set up a server that has unrestricted access to the Internet and install Nmap on it. This server's access to the Internet must be unrestricted, or else your scan results will be tainted by any outbound filtering that is in place.
- Run an Nmap scan.
nmap -sS -p- -T3 -sV -oA [YOUR IP ADDRESS]
This command will result in:
|-p-||Run against all 65,535 ports|
|-T3||Normal speed (you may consider using -T4 to speed things up)|
|-sV||Standard service detection|
|-oA||Output all formats|
Upon completion of the Nmap scan, you will have a good idea of what can be seen on your network from the Internet. To improve on it a bit more, you may want to run another Nmap, this time using a -sU for UPD and a -p 100 for the top 100 most commonly used ports.
Output in hand, you can now review the information, identifying the open services being enumerated. Determine what the services are used for and whether or not they need to be accessed via the Internet. Determine if the server offering the service is on your internal network (which is bad), or more properly located within a DMZ.
A common misconfiguration is the exposure of the web admin interface of the firewall to the Internet. Ideally, there should be no way to access a firewall's admin interface directly from the Internet. Instead, all such access should be via its internal interface. Best practice for remote admin is to use a VPN in order to access the management interface internally. If that is not feasible, then it should minimally be locked down for access from a small subset of known source addresses.
2) Vulnerability Scans
Upon completion of an Nmap scan, the next step is a vulnerability scan. Without going into any depth, a typical free open-source tool used for this is OpenVAS. It will provide you with even better insight into your Internet exposure and weaknesses.
By performing these two types of scans, you go a long way in securing your network against outside intrusion. These scans are often a requirement for NIST and SOC certifications. And by performing these types of cost-effective scans before any other full-blown penetration testing, you get more value quicker.
Corserva Maintains Your Firewall Security
At Corserva, we provide our clients with all of the aforementioned firewall services:
Nightly configuration backups
External scans & vulnerability assessments
What can be found in a firewall vulnerability assessment?
- Problems with the way the firewall is configured
- Software issues resulting from unpatched software
- Hardware and software identification exposures that leave you unnecessarily vulnerable
- Administrative access to network devices from the Internet
- Default passwords in use
Firewall Vulnerability Assessment Process
To find problems in your firewall configuration and make recommendations for improvements, Corserva can perform a firewall vulnerability assessment.
Here's how the process for a firewall vulnerability assessment works:
- We scan the security of your firewall devices, no matter where in the world they are located.
- We evaluate the severity of each vulnerability against common attack vectors.
- We sort uncovered vulnerabilities in order of priority for remediation.
- We present a report to you of our findings in a "Review, Prioritization, and Remediation Report."
- We can perform the remediation steps for you, or you can do those yourself.
By correcting the problems identified in the vulnerability assessment report, you improve the security posture of your network. The vulnerability assessment report provides you with a level of comfort in being prepared for your next SOC or NIST certification. It makes the pentester's job just hard enough for you to get real value for your money.
Corserva offers managed firewall services, in addition to a variety of other cybersecurity services for businesses, including managed SIEM, email security, managed security as a service, security awareness training, and security assessments.