How secure is a firewall?

Let me frame the context. I'm not interested in any exploits that get pulled in by the user nor the issues with apps on a machine. I'm interested in understanding how secure a firewall is in and of itself, e.g., and one which is configured to not allow incoming connections.

What other exploits exist assuming no physical access and a good configuration, strictly incoming from the WAN port. I ask because I keep hearing so much that any firewall is penatrable. I'm starting to think that the majority of these attack vectors originate (knowingly or unknowingly) from the inside.

Can the most talented organization penetrate a properly configured firewall with no help from an inside machine? If so, how so?

Just looking for a better understanding? Thanks.

Rrlangly,

You’ve certainly placed a great question on our forums.

There is definitely a major misunderstanding in the IT industry that by installing and configuring a Firewall, the company and its network infrastructure is well protected.

What people do not understand is that a Firewall is nothing more than a smart device that is configured to allow traffic to pass or not. If it’s a stateful firewall, it will also have the ability to track connections making it much harder to hi-jack sessions and have the ability to dynamically open ports.

The truth is that most successful hacking attempts to major sites are not because the Firewall failed to protect the company, but because the webservers and applications running on them were vulnerable to attacks. Hackers found various exploits and used them to gain unauthorized access to the web servers. From there, hackers usually use the vulnerable and exploited servers as ‘stepping stones’ in order to get access to the internal network. From there on, it’s usually a piece of cake to get access to resources and sensitive information.

An extremely good example is a recent article Ι wrote here on Firewall.cx, which analyses the implications of unsecure webservers and websites for businesses :

www.firewall.cx/general-topics-reviews/s...tions-companies.html

In this article, you’ll read about real facts where large world-wide corporations have been hit by hackers who exploited vulnerable servers, by-passing firewalls as if they were never in place. We are talking about millions of accounts compromised and extremely sensitive information being accessed and distributed by hackers.

The market was well aware of these issues, which is why Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS) started making their appearance in the market. These devices, when setup correctly, examine packets and traffic flow in a much higher level within the OSI model, as opposed to Firewalls, so they are capable of detecting various attacks/exploit attempts which would otherwise seem like valid traffic to Firewalls.

Coming to your question if a talented organization is able to penetrate a properly configured firewall, I’d answer that it depends on what’s running behind the firewall. If the target is a web server or some other device which the Firewall is configured to port-forward traffic to, then I’d answer ‘yes’ – it’s most likely that they will find some exploit and expose it – the Firewall is still doing its job, but its unable to distinguish exploit attempts from normal user traffic!

Hope this helps.

Chris.

Chris,

Though it's been awhile, and I did read this some time ago, thank you for this reply. I still come back to it while trying to learn more about firewalls.

My thinking goes like this. If the firewall itself is secure by not allowing inbound and nothing internally is active to be exploitable, then that gives me a secure baseline to start from and learn about securing a network. So my understanding is if a port is not active, meaning there's no service using it, then it's secure. Nothing will get routed to it. Of course that would be in a minimum, no service active configuration.

But if the firewall itself has exploits, then it seems like there's not much one can do in securing the network as most firewalls are just computers themselves (I read that even my ASA 5506 is just running an older linux kernel). Every time I turn around, I read another article about how CISCO or someone else has back doors for this or that. And if that's the case, there's nothing I can do about that (other than I guess use an OSS router, and even that is questionable at this point).

So while I do understand that internal processes are exploitable and can then give permissions for unwanted access, I'm trying to figure out how to run minimal with the utmost security and then use and secure services when I need them and build from there.

Thanks again for your reply.