Addressing firewall vulnerabilities

As networking requirements shift to enable modern hybrid work models, organizations find that traditional firewalls are no longer as effective as they once were. To make matters worse, multiple popular VPN options are reported to contain zero days and other vulnerabilities.

While you evaluate and modernize your network security approach, consider the potential drawbacks that firewalls can add to your security posture. Let’s explore them, and how you can address them using SASE to optimize your security program.

Common firewall vulnerabilities and threats

Although a traditional mainstay of perimeter-based network security, hardware firewalls have several common vulnerabilities that attackers can exploit. Here are a few notable ones.

Zero days

One of the most prominent exploits of firewalls, firewall software can contain unknown vulnerabilities that create openings that attackers take advantage of. These gaps allow bad actors to bypass the firewall and penetrate the network. Ultimately, it can lead to serious outcomes such as initial access, malware distribution, or data exfiltration.

Although most zero days can be fixed by patching, patch management is difficult, especially without dedicated processes or software. And, many zero days can go unnoticed for long stretches, leaving organizations exposed until the vulnerability is discovered and addressed.

DDoS attacks

As designed, firewalls prevent unauthorized traffic from hitting your network. But, given that they’re bound by their hardware, they can only field so many requests at once. Attackers will use multiple systems, sometimes through botnets, to repeatedly attempt entry at a firewall until it becomes overloaded, causing a distributed denial of service (DDoS) attack.  

Unfortunately, though firewalls can stop some DDoS attempts, they can be overwhelmed by protocol attacks. As a result, an organization’s online services can be shut down, leading to other potential intrusion attempts or other attacks.

Misconfiguration/Weak passwords

During firewall setup or reconfiguration, improper settings or weak access passwords can create openings for attackers. Sometimes, multiple settings may clash which may compromise a firewall’s ability to protect against bad actors. Or, if the default password isn’t changed or a weak password is used to access the firewall, a hacker can simply brute force their way through.

The sad truth of this vulnerability is that it can occur even if the firewall is completely up to date. It can also happen if a previous employee originally misconfigured the firewall and current employees don’t double-check their configurations.

Insider attacks

Because firewalls create a perimeter around the internal network, they are essentially useless when attacks come from within the network. Although this can occur after initial access, it’s especially prominent in the case of insider attacks. Be it a disgruntled employee or even a “sleeper agent,” firewalls offer little defense against these attacks.

Preventing insider attacks requires network monitoring and segmentation solutions that firewalls don’t traditionally provide. They also can be thwarted with behavioral analysis stemming from sophisticated security technologies.

Packet spoofing/SSL obfuscation

During an attack, a bad actor may disguise the information within a packet to bypass security controls and breach the network. Less sophisticated and older firewalls often only examine a packet’s origin and destination. So, if a spoofed packet approaches these firewalls, it may be permitted, allowing the attacker within the network.

Similarly, some organizations may willingly turn off SSL inspection on their firewalls because hardware limitations cause latency and throttle bandwidth. This can lead to similar attacks resulting in infiltration and data exfiltration.

Thankfully, newer and next-gen firewalls (NGFW) contain built-in features to stop these attacks. That said, sometimes those anti-spoofing settings can be toggled off, granting access and leading to an incident.

Addressing firewall vulnerabilities with SASE

Understanding the potential exploits of traditional firewalls, many organizations want an alternative network security approach. Secure Access Service Edge, or SASE, provides just that. SASE combines multiple network security solutions into a single platform, leveraging the cloud to provide secure connectivity regardless of location. Here are a few of the technologies SASE provides:

  • Secure Web Gateway (SWG)
  • Cloud Access Service Broker (CASB)
  • Software-Defined Perimeter (SDP)
  • Intrusion Detection/Prevention Systems (IDS/IPS)
  • NGFW  
  • DNS and Content filtering
  • SSL inspection

Providing these and others in concert, SASE addresses many common pitfalls of traditional firewalls.

How it works

In practice, SASE decentralizes the corporate network into the cloud, relying on device agents and globally dispersed Points of Presence (PoPs) to establish secure access anywhere. Once connected, user traffic is rendered invisible to anyone not authenticated to the SGN. Unlike firewalls, which just surround the core network, SASE works wherever users are, keeping their connections always secured.

As a result, your web services are less exposed, making it harder for attackers to target any openings or attempt DDoS attacks. They also can’t send spoofed packets, which the NGFW identifies and blocks. And, since it’s all software-defined and in the cloud, SASE is immensely scalable compared to hardware firewalls.

Another key feature of SASE is enabling a Zero Trust Network Access (ZTNA) approach. Because of identity-based access controls, organizations can enforce tight password policies and multi-factor authentication (MFA), limiting access by the principle of least privilege. Doing so limits the blast radius of potential insider threats and compromised credentials.

And, through SASE, organizations can tightly monitor network traffic to gain visibility over everything going on within it. Paired with IDS/IPS, this monitoring gives insight into network activities to streamline remediation and reporting efforts.

Using SASE to forego firewalls

Ultimately, you can use SASE to replace the role of your traditional firewalls or amplify their effectiveness to ensure the utmost network security. Using SASE gives you greater control over how your network operates, leading to better security posture and reduced vulnerability from external threats.

Learn more about SASE and how to find the best solution for your business. Download our free eBook today.

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.