Common errors in firewall management

Our security analysts often run into serious security risks in the area of ​​proper firewall configuration and management. These are some of the problems they encountered:

Common errors in firewall management


Our security analysts often run into serious security risks in the area of ​​proper firewall configuration and management. These are some of the problems they encountered:


Multiple firewalls

A single firewall requires regular maintenance and daily monitoring; it is necessary to review the rule sets, update the firmware and update the configuration; this work is multiplied by each unique firewall placed in an environment. When multiple firewalls exist and staff are insufficient or lack the critical skills to maintain them, serious security issues can be overlooked, resulting in the loss or compromise of critical data.


No firewall checks

Firewall auditing, in which a company periodically checks and verifies firewall rules, is often not performed. One of the benefits of hiring an MSSP is that most providers will run regular checks of the firewall as the core of their basic services.


A SecurityMetrics reviewer reported that in one case no IT administrative personnel in a healthcare organization had logged in to review firewall settings for two years. The reviewer discovered a VPN connection connecting the firewall to the former IT employee's home network. This organization was unable to properly manage the firewall, and as a result, sensitive data on the network was at significant risk.


Misunderstanding how firewalls work

There are concepts in firewall management that not all IT staff are familiar with. The area between the outward-facing network and the inward-facing network (known as the "demilitarized zone" or DMZ) must be secure. A verification revealed that some firewall ports / services were left open on both sides of the DMZ, leaving the network exposed and vulnerable to external malicious activity, and the company did not initially see this as a problem.


Inexperience and lack of supervision

IT staff are often expected to "make things work." There is enormous pressure to keep systems running for day-to-day business operations. This pressure sometimes results in reckless or risky setups, as in the case of a merchant where, whenever there was a problem with the firewall, an IT employee simply applied the any / any rule while diagnosing the source of the problem. This made the merchant's network extremely vulnerable. And there is always the added risk of not disabling / removing this rule once the testing process is complete.


Convenience and access versus security

An experience stunned a security analyst when, after 4 years of auditing with a long-time customer, he realized that after reviewing and approving hundreds of firewall rules, the customer was changing the rules right after they the security analyst had left to facilitate access. execution.


Firewall not compliant with PCI DSS

Even if a company uses an MSSP for a managed firewall, the MSSP may not be PCI DSS compliant. In such case, the company would be considered non-compliant. Make sure you find a PCI compliant service provider that can provide you with a current Certification of Compliance (AOC) as proof of this.


Firewall breaches are the rule

Field experiences from our security analysts reveal that incorrect firewall settings and security breaches are the rule rather than the exception. Many breaches in large restaurants and retailers are the result of improper firewall configurations that allow outside traffic to pass through.


If a company is determined to manage its firewall or other security devices, it is essential that those companies have a solid understanding of how to implement, manage and maintain these devices, both conceptually and practically. It's even better if they consult an experienced, certified vendor to help them manage the firewall. You'd be surprised how often another pair of trained eyes would notice a potentially serious vulnerability that would otherwise go completely unnoticed.


SecurityMetrics Pulse SOC / SIEM

SecurityMetrics Pulse is a SOC / SIEM product that provides visibility into invisible areas of the extended network. Pulse detects threats against a company's facilities so you can take action against them and stop a data breach before it happens.



2 Blog posts