Your network firewall serves as the first line of defense between your network and the untrusted Internet. The configuration of the firewall is equally as important as the firewall itself. And since networks evolve over time, you need to check the configuration regularly and make changes as warranted.
The network firewall is your first line of defense against the bad guys. It sits between your network and the Internet.
Always ready, willing, and able. Or is it?
Although the network firewall is often treated like a plug-and-play piece of hardware, it is anything but. Both new and old firewalls need proper care and feeding for them to perform as they are meant to. Firmware needs to be maintained, configurations backed up, and access rules updated. The firewall security rules should be reviewed and tested regularly to ensure they perform as they should. Performing firewall security scans regularly can identify issues with firewalls.
Maintaining a Firewall's Firmware
Like everything else on your network, your firewall is ultimately just another computer running software. No, it's not Windows (at least I hope not), but it has an operating system with millions of lines of code and hundreds of bugs waiting to be discovered and taken advantage of.
Just like all the other software on your network, the best solution we have for this problem is to patch it.
For firewalls, patching takes the form of a firmware upgrade. It replaces the firewall's old code with a newer, less vulnerable version.
Common bugs seen in firewall firmware include:
- "hidden" default passwords
- vulnerable admin interfaces
- flaws in the VPN code
Backing Up the Firewall's Configuration
Firewall configurations should be backed up regularly. Backing up a firewall's configuration allows for the following:
- Quickly falling back to a known good configuration should something go wrong.
- Identifying what has recently been changed when troubleshooting an unexpected problem.
- Protection from events such as lightning strikes where a new out-of-the-box firewall needs to be installed.
Keeping the Firewall Security Rules Up to Date
For a business, it is not unusual to have ever-changing network requirements. One day you may be spinning up a temporary SFTP server to transfer a file to a partner. Next you are moving your onsite web server to the cloud.
Whatever the change may be, a firewall rule adjustment should often be made. These adjustments often go undone, creating gaps in your first line of defense.
A network firewall serves as the first line of defense between your network and the untrusted Internet. To keep your network secure, you must ensure your firewall is configured correctly, allowing and disallowing appropriate traffic with the proper firewall security rules. As the network evolves over time, you need to update the firewall configuration.
So you have a firewall, or maybe even dozens of them. Each of them has been out there for a year or more, managed by multiple people, and their rule sets are in various unknown states.
An auditor is coming in to evaluate your security practices, and surely they will ask about what points of entry may exist from the Internet into your critical infrastructure.
What do you do now?
What you now want to do is to run an external scan. The scan can be a port scan, a firewall vulnerability scan, or both.
1) Port Scans
The most common way to run a port scan uses a tool called Nmap, which is a free, open-source network scanner capable of ping, arp, TCP, and UDP probes.
- Identify the external IP address or IP range for each of your sites.
- Set up a server that has unrestricted access to the Internet and install Nmap on it. This server's access to the Internet must be unrestricted, or else your scan results will be tainted by any outbound filtering that is in place.
- Run an Nmap scan.
nmap -sS -p- -T3 -sV -oA [YOUR IP ADDRESS]
This command will result in:
|Run against all 65,535 ports
|Normal speed (you may consider using -T4 to speed things up)
|Standard service detection
|Output all formats
Upon completion of the Nmap scan, you will have a good idea of what can be seen on your network from the Internet. To improve on it a bit more, you may want to run another Nmap, this time using a -sU for UPD and a -p 100 for the top 100 most commonly used ports.
Output in hand, you can now review the information, identifying the open services being enumerated. Determine what the services are used for and whether or not they need to be accessed via the Internet. Determine if the server offering the service is on your internal network (which is bad), or more properly located within a DMZ.
A common misconfiguration is the exposure of the web admin interface of the firewall to the Internet. Ideally, there should be no way to access a firewall's admin interface directly from the Internet. Instead, all such access should be via its internal interface. The best practice for remote admin is to use a VPN to access the management interface internally. If that is not feasible, then it should minimally be locked down for access from a small subset of known source addresses.
2) Vulnerability Scans
Upon completion of an Nmap scan, the next step is a vulnerability scan. Without going into any depth, a typical free, open-source tool used for this is OpenVAS. It will provide you with even better insight into your Internet exposure and weaknesses.
By performing these two types of scans, you go a long way in securing your network against outside intrusion. These scans are often a requirement for NIST and SOC certifications. And by performing these types of cost-effective scans before any other full-blown penetration testing, you get more value quicker.
Corserva Maintains Your Firewall Security
At Corserva, we provide our clients with all of the aforementioned firewall services:
- Firmware upgrades
- Nightly configuration backups
- External scans & vulnerability assessments
What can be found in a firewall vulnerability assessment?
- Problems with the way the firewall is configured
- Software issues resulting from unpatched software
- Hardware and software identification exposures that leave you unnecessarily vulnerable
- Administrative access to network devices from the Internet
- Default passwords in use
Firewall Vulnerability Assessment Process
To find problems in your firewall configuration and make recommendations for improvements, Corserva can perform a firewall vulnerability assessment.
Here's how the process for a firewall vulnerability assessment works:
- We scan the security of your firewall devices, no matter where in the world they are located.
- We evaluate the severity of each vulnerability against common attack vectors.
- We sort uncovered vulnerabilities in order of priority for remediation.
- We present a report to you of our findings in a "Review, Prioritization, and Remediation Report."
- We can perform the remediation steps for you, or you can do those yourself.
By correcting the problems identified in the vulnerability assessment report, you improve the security posture of your network. The vulnerability assessment report provides you with a level of comfort in being prepared for your next SOC or NIST certification. It makes the pentester's job just hard enough for you to get real value for your money.
Corserva offers managed firewall services, in addition to a variety of other cybersecurity services for businesses, including managed SIEM, email security, managed security as a service, security awareness training, and security assessments.