Advanced Cyber Security

You are here: SecPoint & IT Security News

Top 10 Firewall Configuration Mistakes

Cybercrime has gone up a whopping 600% because of COVID, according to the U.N. Security Council. And with trillions in financial gain at stake, cybercriminals aren’t going to ease up any time soon.

A firewall can protect you and your network, but lapses in your firewall configuration can leave you vulnerable.

To help you learn how to configure a firewall so it’s not open to attack, we explain 10 common firewall configuration mistakes.

Top 10 Firewall Configuration Mistakes

1. Visible Firewall Management Interface

Your firewall management network should be isolated from the rest of your network. Network segmentation involves creating virtual local area networks (VLANS) for specific functions with the network.

If the firewall management access doesn’t have its own VLAN, it could be visible to the internet.

And if the firewall configuration allows access to the management interface from the internet or other unsecured zones, you are completely vulnerable once a cybercriminal enters your network.

For this firewall configuration, it’s important to:

  1. Isolate the management system on a VLAN network
  2. Allow only in-network IP addresses
  3. Use multi-factor authentication (MFA) to gain access
  4. Restrict access to network protocols like HTTP, SSH, and Telnet.

This firewall maintenance keeps cybercriminals from changing your firewall configurations to grant them total access. It also keeps you from being locked out of your own firewall.

This way, even if a cybercriminal makes it past the external defenses, they won’t be able to gain full access to all your internal network systems.

Every user that has access to the firewall management interface is a potential security risk. Access should be granted on a need-to-use basis.

2. Leaving Intrusion Prevention Systems Off

Intrusion prevention systems (IPS) stop incoming network traffic from creating vulnerabilities cybercriminals can use to disrupt service and gain control of a device or network.

Leaving this firewall configuration off takes away an important layer of security.

Network traffic is made up of packets, or small bundles of data. Two popular packet attacks are denial of service (DoS) and Distributed Denial of Service (DDoS).

DoS attacks either overwhelm a network with too much traffic, or send in malicious packets that cause it to crash. A DDoS attack works the same way, but uses multiple systems to attack a target all at once.

IPS works as both prevention and detection. Because network packet transfer is fast, the IPS constantly scans and monitors packets and responds in real-time.

If the IPS spots a threat, it can block the traffic from the DoS attack, or drop its malicious packets.

IPS also protects against worms (replicating programs) and network viruses that can travel between computers. It can remove malicious content that breached the firewall after an attack.

Without the IPS, your network can be easily attacked through network traffic. Your firewall configuration should include the IPS switched on.

3. Secure Shell Ports Left Open

Secure Shell or Secure Socket Shells (SSH) ports are designed to allow secure access to a device over an unsecured network. It’s a more secure network protocol than Telenet or File Transfer Protocols (FTP).

SSH works through the client-server model to connect an SSH client to an SSH server. SSH uses encryption so the data packets aren’t exposed to malicious packet analyzers or packet sniffers.

SSH port forwarding opens the SSH port to allow tunneling between a secure SSH host and an insecure host. This also allows the insecure host to pass through the firewall without detection and repercussions.

SSH tunnels can have many uses for IT system admins, but they are also useful to cybercriminals. The standard SSH port is 22.

Every basic systems hacker in the world is going to try port 22 to see if it’s open. Even script kiddies can easily attempt to log into an open SSH port hundreds of times a day.

Some firewalls may also leave the SSH port open by default. Like a default password, learning how to set up a strong firewall configuration includes securing the SSH port.

4. Too Many Open Firewall Ports

The SSH port isn’t the only vulnerable access point. Firewalls manage multiple ports to allow legitimate access in, while keeping malicious access out.

Common ports include:

  • Port 20- FTP data transfer
  • Port 21- FTP control (command)
  • Port 25- Simple mail transfer protocol (SMTP)
  • Port 53- Domain name system (DNS)
  • Port 80- Hypertext transfer protocol (HTTP)
  • Port 110- Post Office Protocol (POP3)
  • Port 143- Internet message access protocol (IMAP)
  • Port 161- Simple Network Management Protocol (SNMP)
  • Port 443- Hypertext transfer protocol over SSL/TLS (HTTPS)

Some or all of these ports will probably be open at one point or another. These ports are used to browse the web, send and receive emails, or connect to the internet.

Firewalls follow rule sets to determine what is safe, but these rules are at the mercy of human error. If your firewall rules have configuration mistakes, your firewall ports could be breached.

Each open port is a potential vulnerability for a malicious agent to slip through with the legitimate access. For better security, familiarize yourself with the ports your network uses and doesn't use.

Once you're familiar with your firewall's ports, you can easily change the firewall configuration to include only leaving open ports when you need them, and closing them when they are unused.

5. Leaving on Unused Protocols and Services

Like ports, firewall configurations that leave unused network services open will create another vulnerable spot for an attack. Common network services along with ports include:

  • Web servers
  • Proxy servers
  • Dynamic routing
  • FTP servers
  • File share servers
  • Remote access programs

Cybercriminals can access your network through flaws in each service. To lower the risk of exploitation, your firewall configuration should also turn off any unused service.

6. Failure To Install Firewall Updates and Patches

A surprisingly high number of users don’t install regular and critical updates to their firewall. This is despite the fact most patches are pushed to fix known security vulnerabilities.

Your firewall configuration should include regular updates. A firewall that isn’t up-to-date will become incompatible with new programs, software, and other technologies.

These incompatibilities will degrade firewall performance and open up weak spots whenever you access anything beyond the firewall. Your firewall will be sluggish at detecting threats.

Routine firewall maintenance will make sure your firewall is working properly and effectively. If it isn’t working properly, most firewall troubleshooting applications will automatically check to see if you missed an update or patch.

Patches can be even more critical than updates. Some security flaws or errors in firewalls aren’t discovered until they’re tested in real-world applications.

Cybercriminals discover and share these errors and flaws quickly. If you don’t have your firewall configuration set up to install patches ASAP, your firewall can be dodged when they target your network.

7. Leaving Default Firewall Password

This seems like a no-brainer in how to set up a firewall, but according to global survey data, 40% of IT security pros don’t even change the default admin password.

Like routers, firewall hardware has default passwords included in manuals or stickers. This lets the customer access the device without having to call an IT service or have access granted remotely.

These defaults passwords are easy for cybercriminals to get or break. Some default firewall passwords are as simple as "admin/admin."

For proper firewall maintenance, you should:

  • Change default passwords
  • Update passwords regularly
  • Make passwords complicated
  • Only save passwords on paper
  • Never share passwords online

Undetected malware can view what keystrokes you use to enter a password using keyloggers. Your firewall should keep keyloggers out of your network or device, but changing passwords regularly adds extra security in case they slip in another way.

Cybercriminals also use phishing and social engineering to trick you into giving up a password voluntarily.

Only use firewall passwords to gain access to the firewall. Don’t share them through e-mails, text messages, or on shared public devices.

Your firewall password configuration should also be unique from all your other passwords. If someone maliciously gets your e-mail or WiFi password, you can bet they are going to try it on your firewall too.

8. Leaving Reputation Block Lists Off

Reputation Block Lists (RBL) protect against domain names that are spam or known security threats. They’re the unsung heroes of cyber security.

According to Cisco Systems, over 80% of all email is spam. This statistic isn’t just for America, but the whole world.

This means your firewall is potentially blocking thousands to millions of spam e-mails a day, without even including other spam and security threats.

RBL’s are maintained by many organizations, including researchers and public interest groups. Cybersecurity networks and commercial companies with a vested interest in cybersecurity also maintain and contribute to RBLs.

If you’ve ever turned on Microsoft or Google safe browsing, you may have come across blocked websites with security warnings. These warnings are based on RBLs. Facebook, Twitter, and Amazon use RBLs for their cybersecurity too.

Turning off an RBL in your firewall configuration means you can access harmful sites and/or be flooded with spam. 

9. Human Error in Firewall Configurations

Like common privacy mistakes, human judgment isn’t always the best.

Firewall rules are set up so networks can tailor what specific security functions they need in their firewall configuration.

Unfortunately, this leaves the firewall vulnerable to mistakes in improperly configured firewall rules. To mitigate this risk, there are best practices for firewall rules configuration:

  • Block all traffic by default
  • Only open access to known devices
  • Only grant access based on the principle of least privilege
  • Prioritize the rule order (highest priority first)
  • Remove rules for former users
  • Eliminate redundancies and duplicates
  • Eliminate conflicting rules
  • Regularly remove unused or temporary rules
  • Remove obsolete rules

Blocking all traffic by default and selectively opening access is easier than allowing open access by default, and then trying to selectively block traffic. Access should only include trusted devices.

Network access privileges are best given on a needs-based priority, where only the amount of access needed to perform a function is given (least privilege). This prevents the potential malicious use of higher privileges.

The firewall system moves through a list of rule sets in order, so it’s best to prioritize rules for more responsive protection. User and management permit rules should be listed higher than other functions.

Once someone no longer needs access to the network, it’s best to remove their permit rule. Not only do the extra rules slow down the firewall, but it creates a human vulnerability in your network.

Other rules that can bog down your firewall performance include redundancies, duplicates, and conflicts. Your firewall will have to work through these errors before it can perform other tasks. 

Unused, temporary, and obsolete rules clutter up firewall rule sets and degrade performance. You should regularly inspect your firewall configuration to remove these unneeded rules.

Learning how to configure firewall rules will keep it running quickly and smoothly.

10. Not Logging Outputs

If your firewall configuration doesn’t include logging outputs, you may not even know how, when, or why your network is being attacked.

Log outputs show the details of an attack and help you determine if any breaches occurred. Without a log, you won’t be able to analyze how the intrusion happened.

If you can’t analyze the breach, you won’t know what specific firewall troubleshooting functions to perform to fix the flaw. You’ll have to do an exhaustive overhaul of the whole firewall, while still open to similar attacks.

Protect Yourself From Cyber Threats

Cybercriminals are always on the alert for vulnerabilities in your system. An improper firewall configuration can let them in with ease.

Learning how to configure a firewall and perform basic firewall maintenance will create several layers of security between you and cyber intrusions.

You’ll safeguard your personal data from theft, including the information needed to access your bank account or steal your identity.

For more global cybersecurity services, contact us by phone, email, and social media. You can also reach out to one of our partner organizations located on every continent.