Network Security Horror Stories: Firewall Misconfigurations

Here we are with our second installment of network security horror stories and having already discuss some of the firewall change control issues in this article we’re going to review some firewall misconfigurations I’ve seen at client sites. The firewall plays an important part in your security architecture and needs to be configured properly in order to gain the most from this layer of security. Here are a few stories of classic firewall misconfigurations:

1.    Dangerous Ports Open

There was a particular network I worked in once that was constantly being breached. We started looking at ways the attackers were gaining access and noticed that there were improperly configured firewall rules that allowed full NetBios access to all systems in the DMZ. These webservers were also running all applications as administrator with an old version of Microsoft IIS.

After cleaning up the firewall access rules, removing unneeded services and updating vulnerable software we were able to help the network owners for the time being. There should be a constant audit of your environment as well as vulnerability scans both internally and externally that would find this low hanging fruit. Using tools that point out vulnerabilities and areas that you’re not compliant are extremely beneficial to your security posture.

2.    Remote Control Gone Wrong

Once while troubleshooting a server outage of a critical server I noticed that the  firewall was previously configured to have these servers put in a group that allowed RDP access to them through the firewall and they were NAT’d directly into the server VLAN, which wasn’t in the DMZ. This allowed attackers to gain access directly through the firewall, bypass the DMZ and used this box as a pivot point in the server VLAN.

Noticing this I confronted the firewall and server administrator as to why this was configured this way. Their response was that this is how the vendor came in to perform maintenance on the server when it crashed. Little did they know that it wasn’t only the vendor that was using this access and that the server wasn’t only crashing, but it was compromised.  Using other tools like Webex or GoToMeeting would be a safer and easier method to troubleshoot issues over the web.

3.    Egress Filtering

At one client I discovered tons of malware and after looking at the firewall logs determined that there were many connections back to foreign countries at all hours of the day. This might not seem odd to certain businesses, but this particular organization was completely domestic so this triggered a red flag. After seeing these infected systems phoning home with malware I reviewed their firewall rules and noticed there was no egress filtering configured. Without egress filtering the systems were being infected (another issue all together) and being allowed to contact command and control servers without a problem.

Setting up simple egress filtering on the firewall is a step often overlooked, but could seriously help your security. This isn’t going to stop all connections since many bots are communicating over HTTPS now, but it’s a good first step.

 As we’ve seen from just these three simple examples, a misconfigured firewall is the same as no firewall. The rules of a firewall need to be reviewed on a quarterly basis on minimum and changes shouldn’t be left to one person for approval. Firewalls are the classic security appliance and you’ll need to configure it properly in order to receive any benefit from it.