Firewall Guidance

Edit online

Category Definition

A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted and untrusted network, such as the internet, and an internal network.

Why a defender should care about Firewalls

Firewalls are the shield of an organization. They defend against attacks by preventing unwanted access to trusted networks. A properly configured and maintained firewall (including Default Deny policies) protects an organization from various attack techniques and subsequently is one of the most important IT assets. For firewalls to be effective, they require high availability, secure configurations, robust monitoring, and frequent patching. However, since firewalls often have restrictive rule sets, many organizations will change firewall configurations that sacrifice security for convenience. As such, defenders must understand the configuration settings provided by each firewall and work with their internal teams to configure settings that garner maximum security and usability.

Typically, firewalls offer two avenues of compromise. Attackers may access the firewall like a legitimate user or attack the underlying software. Compromising a firewall achieves initial access as well as defense evasion.

Why an attacker is interested in Firewalls

Attackers are interested in firewalls because they connect to management and administrative functions. Therefore, if a firewall is compromised, it can grant an attacker the “keys to the kingdom.” With these keys, attackers can bypass the firewall’s defenses and pivot to management systems and (or) other target systems within the defender’s network.

In addition, since firewalls are the primary enforcer of network boundaries, a compromise could allow an attacker to re-route traffic from a network perimeter firewall to someplace else. This traffic re-routing to another source will enable Attackers to be a man-in-the-middle (MITM) for all the traffic from a victim’s network, which allows them to obtain valuable information about how the defender’s network communicates with the systems outside of its network boundary.