Firewall ruleset

What is a firewall ruleset and configuration review? 

January 5th, 2022 Posted in Information Security

A firewall ruleset and configuration review is a detailed assessment of your firewall ruleset and configurations. The test is typically conducted by a specialist, third-party penetration tester, who will use a combination of manual and automated techniques to analyse the firewall’s configurations and the deployed ruleset, focusing on discovering potential security vulnerabilities and deviations from security best practices.   

About firewalls

Firewalls are a critical component of effective security. There are different ways to deploy firewalls, with the most common being endpoint firewalls and network firewalls. Endpoint firewalls are deployed on computers, such as Windows Firewall, and regulate traffic to and from the device. Network firewalls act as a gateway and control traffic between different parts of your network.  

The most common firewall deployment location on the network is at the boundary between the internet and your corporate network. Still, network firewalls can be deployed within a corporate network to enforce more robust network segregation and traffic management. 

The oldest network firewalls are known as ‘packet filtering’ firewalls because they examine packets and compare them against the firewall fixed ruleset. These devices check data packets for source and destination IP address, the protocol used, and the source and destination ports against the ruleset. They are classed as ‘stateless’ devices because they monitor packets without tracking the connection or considering the packets that have passed through the connection. 

‘Stateful firewalls’ were developed later to offer more comprehensive security. These devices verify and track established connections and inspect packets. They use a ‘state table’ for connections, based on source and destination IP and ports, create a dynamic ruleset for managing connections and drop packets that do not belong to a valid connection. 

The most recent and increasingly common type of firewall is the ‘next-generation firewall’ or “NGFW”. These utilise deep packet inspection technology to detect malware and problematic traffic, application inspection, and improve user awareness. NGFW devices also typically incorporate other technology, including intrusion prevention and anti-malware software.  

Firewall vulnerabilities

Regardless of the type of firewall you use, it will rely on the deployed ruleset, typically set during initial installation. At its most basic, the ruleset will include the access control list (“ACLs”) used to determine whether traffic is permitted or not. As network and business needs evolve, administrators may need to re-configure firewall settings, where the potential for vulnerabilities arises. In line with this, according to Gartner’s firewall security research, 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws, by 2023. 

Indeed, as coverage of the Capital One breach of 2019 highlighted, a simple firewall misconfiguration can lead to a large-scale security incident. In this instance, a simple cloud firewall configuration enabled a malicious actor to communicate with Capital One’s infrastructure – which should not have been possible from the outside. The threat actor obtained the personal data of over 100 million US citizens, resulting in Capital One being fined $80 million for careless network security practices by the Department of Treasury in the United States. This reinforces the notion that firewall misconfigurations pose more than just a threat to network performance; they can lead to severe security incidents.  

Regardless of the model, firewall ACLs tend to be set up on installation. Like all security measures, firewalls are not infallible. Some vendors’ products offer more protection than others. Even in instances where a firewall offers a high level of security, threat actors can use tactics to penetrate this line of defence. This begs the question for network administrators: is the firewall truly secure? It is from this question that firewall ruleset and configuration reviews were born.  

Firewalls also have their own operating system. Like all operating systems, they should be ‘hardened’ to make them more secure. They must be updated and patched with the latest security vulnerabilities. Organisations commonly update and harden their server and workstation operating systems but often forget about their firewalls (and other network devices). A vulnerability in an internet-facing firewall presents an attacker with an opportunity to access your firewall, monitor your traffic and get a foothold in your network.  

Why should you perform a firewall review?

The compliance standard Payment Card Industry Data Security Standard (PCI-DSS) and certifications like ISO 27001 mandate regular auditing of firewalls to ensure that they are correctly and securely configured. Therefore, any organisation that must comply with these regulations must regularly perform firewall reviews. Data protection regulations, like GDPR, also mandate the implementation of technical measures appropriate to the risks of personal data being processed (such as firewalls, where appropriate to your IT architecture) and a process for regularly testing, assessing evaluating the effectiveness of such measures. 

Aside from mandatory reasons, there are several security justifications to performing these tests. Firstly, a misconfigured firewall could leave your network exposed to the internet, heightening the possibility of a vulnerability being exposed and exploited. Moreover, the complexity of modern business environments – hybrid, often cloud-based and remote – makes the management of firewall solutions complex, which increases the likelihood of something being missed.  

Firewall ACLs are often configured and then forgotten about, leading to obsolete policies over time that put more pressure on firewalls and can impact performance. The more rules the firewall has to process, the more processing power is required. This, in turn, can lead to security erosion over time, as the device is put under strain – as well as hampering efficiency. Furthermore, in cases where an organisation has many firewalls to manage and configure, mistakes are more likely. The possibility of duplicate, conflicting rules can arise, which undermines the security efforts put in place.  

For all of these reasons, checking, analysing, and rectifying firewall configurations is necessary for efficient network performance and security.  

Likewise, and as covered above, firewall vendors will provide best practice guidance for securely configuring their devices which may change over time and will release security and functionality updates. Organisations often treat firewalls as a ‘set and forget’ device when they would be kept under ongoing review and management given their importance to your business.  

What are the steps of a firewall ruleset and configuration review?

A firewall ruleset and configuration review is an in-depth assessment of the security and performance of a company’s firewall(s). In the review, skilled penetration testers will review the firewall’s performance, configuration and rule sets, comparing these with industry standards and vendor guidelines. They will use a mixture of automated and manual testing techniques to conduct a thorough assessment. At the end of the test, the client will see a detailed report going over the findings and recommendations for remediation in order of priority.  

The test typically takes the form of six stages:  

  • Pre-engagement: Firstly, the testing provider and client will agree on the scope of the test, which will include identifying testing goals, going over the rules of engagement and confirming the project’s scope and timeline. 
  • Intelligence Gathering: The testing team will then gather as much preliminary information about the target, using external sources so that the alarm system is not raised. Common tactics, here, include Google Dorking and services such as nslookup or whois. The aim, here, is to gather as much information as possible about the client firewall and network.  
  • Vulnerability Analysis: Armed with the intelligence gathered, the testers will use a combination of automated vulnerability scanning tools and manual techniques to explore the firewall and the network. This is how the testers will discover security erosion and potential entry points. As they go, the tester will note which ACLs offer a potential point of entry and prioritise their testing based on these findings.   
  • Exploitation: Once the team has a list of hosts and services, they will start exploitation on the target firewall and the network it protects. This phase typically takes two subsets. Firstly, the testers will look to gain shell or root access to the firewall with the aim of disrupting services or changing critical configurations. The second phase of exploitation focuses on the perimeter to assess the firewall’s strength at withstanding potential attacks.   
  • Post Exploitation: Once this is complete, the penetration testing team will then review the company’s security and firewall policies, comparing these to the system’s behaviour during the test. They will make a note of any discrepancies. They will look for instances where access and use policies do not actively reflect the firewall’s procedures – as well as evidence of security erosion due to policy overload on the system.  
  • Reporting: Once this is complete, it’s time to report the findings to the client. This will take the form of a detailed report, often along with the option to have a debrief meeting – or “washup call” – to talk through the findings and answer any questions. The testers will advise ACLs to prioritise fixing based on their risk factor. 

When should I conduct a firewall ruleset and configuration review?

Firewall ruleset and configuration reviews are standalone tests that are separate from infrastructure and network penetration tests. We recommend conducting this review as soon as possible after you have deployed your firewall to ensure that it follows best practices. If there are any widespread changes to your IT estate, then we also suggest conducting a configuration review then, to ensure the ACLs are still appropriate for your infrastructure.  

Need help?

If your organisation needs help running a penetration test or firewall ruleset and configuration review, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat. 

 Contact Us

Technology vector created by upklyak – www.freepik.com​
AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).