Your network firewall serves as the first line of defense between your network and the untrusted Internet. The configuration of the firewall is equally as important as the firewall itself. And since networks evolve over time, you need to check the configuration regularly and make changes as warranted.
The network firewall is your first line of defense against the bad guys. It sits between your network and the Internet.
Always ready, willing, and able. Or is it?
Although the network firewall is often treated like a plug-and-play piece of hardware, it is anything but. Both new and old firewalls need proper care and feeding for them to perform as they are meant to. Firmware needs to be maintained, configurations backed up, and access rules updated. The firewall security rules should be reviewed and tested regularly to ensure they perform as they should. Performing firewall security scans regularly can identify issues with firewalls.
Like everything else on your network, your firewall is ultimately just another computer running software. No, it's not Windows (at least I hope not), but it has an operating system with millions of lines of code and hundreds of bugs waiting to be discovered and taken advantage of.
Just like all the other software on your network, the best solution we have for this problem is to patch it.
For firewalls, patching takes the form of a firmware upgrade. It replaces the firewall's old code with a newer, less vulnerable version.
Common bugs seen in firewall firmware include:
Firewall configurations should be backed up regularly. Backing up a firewall's configuration allows for the following:
For a business, it is not unusual to have ever-changing network requirements. One day you may be spinning up a temporary SFTP server to transfer a file to a partner. Next you are moving your onsite web server to the cloud.
Whatever the change may be, a firewall rule adjustment should often be made. These adjustments often go undone, creating gaps in your first line of defense.
Firewall Security
A network firewall serves as the first line of defense between your network and the untrusted Internet. To keep your network secure, you must ensure your firewall is configured correctly, allowing and disallowing appropriate traffic with the proper firewall security rules. As the network evolves over time, you need to update the firewall configuration.
So you have a firewall, or maybe even dozens of them. Each of them has been out there for a year or more, managed by multiple people, and their rule sets are in various unknown states.
An auditor is coming in to evaluate your security practices, and surely they will ask about what points of entry may exist from the Internet into your critical infrastructure.
What do you do now?
What you now want to do is to run an external scan. The scan can be a port scan, a firewall vulnerability scan, or both.
The most common way to run a port scan uses a tool called Nmap, which is a free, open-source network scanner capable of ping, arp, TCP, and UDP probes.
nmap -sS -p- -T3 -sV -oA [YOUR IP ADDRESS]
This command will result in:
-sS |
SYN scan |
-p- |
Run against all 65,535 ports |
-T3 |
Normal speed (you may consider using -T4 to speed things up) |
-sV |
Standard service detection |
-oA |
Output all formats |
Upon completion of the Nmap scan, you will have a good idea of what can be seen on your network from the Internet. To improve on it a bit more, you may want to run another Nmap, this time using a -sU for UPD and a -p 100 for the top 100 most commonly used ports.
Output in hand, you can now review the information, identifying the open services being enumerated. Determine what the services are used for and whether or not they need to be accessed via the Internet. Determine if the server offering the service is on your internal network (which is bad), or more properly located within a DMZ.
A common misconfiguration is the exposure of the web admin interface of the firewall to the Internet. Ideally, there should be no way to access a firewall's admin interface directly from the Internet. Instead, all such access should be via its internal interface. The best practice for remote admin is to use a VPN to access the management interface internally. If that is not feasible, then it should minimally be locked down for access from a small subset of known source addresses.
Upon completion of an Nmap scan, the next step is a vulnerability scan. Without going into any depth, a typical free, open-source tool used for this is OpenVAS. It will provide you with even better insight into your Internet exposure and weaknesses.
By performing these two types of scans, you go a long way in securing your network against outside intrusion. These scans are often a requirement for NIST and SOC certifications. And by performing these types of cost-effective scans before any other full-blown penetration testing, you get more value quicker.
At Corserva, we provide our clients with all of the aforementioned firewall services:
To find problems in your firewall configuration and make recommendations for improvements, Corserva can perform a firewall vulnerability assessment.
Here's how the process for a firewall vulnerability assessment works:
By correcting the problems identified in the vulnerability assessment report, you improve the security posture of your network. The vulnerability assessment report provides you with a level of comfort in being prepared for your next SOC or NIST certification. It makes the pentester's job just hard enough for you to get real value for your money.
Corserva offers managed firewall services, in addition to a variety of other cybersecurity services for businesses, including managed SIEM, email security, managed security as a service, security awareness training, and security assessments.