6 Risky Firewall Configuration Errors & How to Put Them Right

Simply having a network firewall isn’t enough to keep your organisation safe online – correct configuration and management makes all the difference.

There are a number of things that any organisation needs in order to remain safe online, not least of which is a next-generation network firewall.

Yet simply having a firewall isn’t necessarily going to protect your network. It needs to be correctly installed and configured in order to serve you well – in fact, a poorly configured firewall can be just as bad as not having one at all!

Our technicians have encountered all sorts of weird and wonderful firewall misconfiguration errors in our years – before putting them right, of course! So here are 6 questions that will help you avoid the most common firewall slip-ups that we see time and time again…

Is Your Firewall Looking at Encrypted Traffic?

Around 85% of web traffic nowadays is encrypted, meaning that unauthorised parties can’t listen in on those communications. If they were to try, all they would see is useless, encrypted gibberish. You may have noticed that most web addresses now begin with “https://”, an indicator of the secure HTTPS/TLS protocol which encrypts communications between websites and their visitors.

All cybersecurity experts – ourselves included – salute this widespread move to HTTPS as it helps to make the web a safer place from would-be snoopers and cyber criminals.

However, this move does present a problem as older firewalls aren’t designed to handle encrypted web traffic. When presented with HTTPS traffic, it’s likely that an older firewall will throw its (virtual) hands up and say “I can’t understand this but I can’t detect anything untoward – I’ll just let it pass through”.

So if your firewall is coming to the end of its lifecycle, a) call us or your provider for an upgrade, and b) check if your firewall has a feature called deep-packet inspection or “DPI” available. DPI effectively lets the firewall securely handle HTTPS/TLS encryption and decryption so it can unscramble the traffic and inspect it properly before letting it into the network.

If your firewall has DPI available – enable it now! Bonus points if that DPI is compatible with the latest version of TLS encryption, TLS 1.3.

Is Your Firewall Refusing Most Inbound Traffic but Letting All Traffic Out?

Some companies take this quick (read: “lazy”) way of setting up a firewall. They’ll only allow inbound traffic through ports that serve things like email, web, and perhaps remote access (which is a sensible move), but they won’t implement the same port controls on their outbound traffic, letting everything out (which is very dangerous).

This approach likely comes from a misconception about cyber threats being a totally inbound affair; the thought that “all I have to worry about is malware getting in – anything that needs to leave should be free to do so”. However, cybercrime can still totally take place over outbound channels.

Let’s say that a piece of zero-day malware manages to sneak past your firewall and antivirus measures; maybe due to a phishing or social engineering attack. And let’s say that this malware’s goal is to leak sensitive data to a hacker’s server. Without any limits or oversight implemented for outbound traffic, this vulnerability can leak away to its heart’s content!

High profile data breaches are proof that data theft is big business. And especially post-GDPR, this “let everything out” approach can be costly and dangerous to companies of all sizes. You need to establish what functionality your network users need, and only allow traffic in and out on the ports that support that functionality.

Are You Taking a “Set it And Forget it” Approach to Firewall Rules?

This is another way that companies can get lazy when it comes to setting up their firewalls: setting their firewall’s rules one time and never revisiting them – even months or years down the line. Alternatively, they may plan to revisit their firewall rules periodically, but it becomes a “when I have time for it” job that competes with other, more urgent matters on their to-do list.

Networks are figuratively living, breathing, ever-developing things. Chances are that your network is almost unrecognisable compared to, say, 3 years ago. You should revisit your firewall’s rules each time you welcome new users, bid farewell to leavers, implement new technology, and adapt to new rules and legislation (such as GDPR). This will keep your firewall primed to handle your network as it is today, not as it was a while ago.

As well as reviewing your firewall’s rules when changes arise, make it a priority to review your firewall’s rules at least every quarter. Rules that relate to older, obsolete issues or rules which overlap all take up computing power within the firewall itself, so make an effort to combine or streamline them where possible.

Are Your Firewall Alerts Properly Set Up and Monitored?

Firewall alerts are incredibly useful. They let us know when something needs our urgent attention. However, sometimes we see alerts switched on for the most mundane, everyday firewall events. And when you get swamped with tonnes of low-quality, non-actionable alerts, it’s only a matter of time before you start to mentally tune out <em>all</em> alerts.

If this sounds familiar, then take 5 minutes every day to run through your alerts and get an idea of what they’re trying to tell you. Are there serious security issues going unaddressed? Or does your firewall get a bit “alert happy” and notify you of every little thing it does?

You don’t need us to tell you that anything that falls into the former camp needs to be addressed without delay. However, make a note of the more humdrum alerts too – if they aren’t adding any particular insight or guidance, then you can probably amend their sensitivity parameters or switch them off. You don’t want a situation where a serious alert becomes buried under thousands of similar-looking unimportant ones. Periodically review the alerts that you receive (especially through external channels like email) and compare them with the logs that the firewall keeps. Are there any moderate-to-important insights that you’re not hearing about? If you take our earlier advice about a quarterly review of firewall rules, that’s also a great opportunity to review your alert conditions too, adding, removing, or streamlining alert logic where needed.

Is Your Firewall’s Firmware Kept up to Date?

It’s easy to see your firewall as a little box that sits in a corner, doing its job come rain or shine, all hours of the day. However, the box you see merely houses software that does all of the work. And just like any piece of software, it will need updating from time to time.

Occasionally your firewall will let you know that a new version of its “firmware” needs to be installed. Do so without delay. Firmware usually contains essential new security patches and functionality designed to keep you safe.

Cybercriminals are constantly trying to undermine the positive efforts of the cyber security industry, so it’s quite possible that someone out there will be hunting for exploitable security gaps in older firewall firmware. So always keep on top of updates! And if you’ve had your firewall for 5 years or more, you’re well overdue for an upgrade.

Are All of Your Devices Connected “Behind” the Firewall?

What do you do when you need to connect a new device to your network? If your answer is something along the lines of “find an empty network socket and whack it in”, then this tip is for you.

Think about it – do you really know where every Ethernet port in your premises goes? Are they all visible to and protected by your firewall? If you have a small, self-installed network on your own premises then it’s highly likely (but not definite) that this will be the case. However, if you’re in shared premises or in an area that relies on less traditional IT like a factory floor or warehouse, it may have been a while since that socket got some cyber-TLC.

Using a connection to the internet that isn’t overseen by your firewall is incredibly risky, especially if that device has access to on-network resources like sensitive databases or storage functions. SCADA/IoT devices are particularly vulnerable here as they generally require some kind of internet/network connectivity but rarely contain any kind of cyber security controls. Yet SCADA isn’t the only target. Any networked device connected “in front of” your firewall (i.e., outside of its protection) presents a tempting prospect for those looking to steal data, cripple productivity, infiltrate systems, and generally cause digital mayhem.

Just Firewalls Managed Firewall Service

Does all of this tinkering and maintenance feel like it’s going to take too much time out of your working day? Well thankfully, it can all be easily outsourced with Just Firewalls’ Managed Firewall Service.

Rather than constantly juggling with alerts and settings in-house, we’ll take all of the hassle off your shoulders. Our expert technicians are on hand to provide no-nonsense firewall setup, management, and maintenance – as well as friendly 24/7 support over the phone, online, and (where needed) on-site.

Our managed firewall service also includes regular, jargon-free reporting, giving you crucial insight into your unique cyber security profile, what threats you’re fending off, and the effectiveness of your whole security stack.

So if firewall management is taking too much time away from other crucial business needs, why not leave it to the experts? Explore our managed firewall service today!