Common Errors in Firewall Configurations

Tuesday, December 06, 2011

Christopher Rodgers


A firewall is worse than useless if improperly configured because of the false sense of security; however, a properly configured firewall is a cornerstone asset of perimeter security.

Two of the most common errors found on a firewall configuration are “Rules Allow Access to “ANY” Port” and “Simple Network Management Protocol.”

What is found a surprising amount of the time in our Firewall Ruleset Reviews are Access Control Entries that have several specific ports defined, most frequently File Transfer/Sharing services, followed with an entry that allows access to “any” port.

 It appears that the network administrator was under pressure to make a service available, and in haste allowed all traffic to the File Server.

With the "ANY" port accessible vulnerability, clear text protocols could be used when both a secure and less secure clear text service are running on the same system, and vulnerabilities found for specific services such as SMB could be launched against vulnerable machines.  

The more ports that are available to an attacker, the greater the chances are for a system to be compromised.

Simple Network Management Protocol (SNMP) is a User Datagram Protocol (UDP) based management protocol.  SNMP can assist in monitoring the performance and the availability of a device by providing valuable information in the form of the following: performance, issues, configuration, and firewall status. 

While this information can help to identify issues and maintain operability, it can be used by an attacker to glean information.

There are two main access types of SNMP: Read Only (RO) and Read/Write (RW).  Read only permits an SNMP server to read information from the device, but does not allow for modification.  Out of the two configuration options, read only holds a lower threat rating. 

Read/write SNMP enables elevated privileged tasks to be performed, such as modifying the configuration of the network device. 

This can decrease the time to deploy configuration changes to multiple network devices, but also allows the opportunity for an attacker to gain access to the device.

In addition to the various access types, SNMP comes in three different versions.  Both versions 1 and 2 transmit the SNMP data in clear text.  Because information contained within the SNMP packet is in plain view, this can allow for the interception of critical device information. 

To remediate this vulnerability, SNMP version 3 allows for encryption and hashing of the SNMP packet.  This assures device administrators that the integrity and confidentiality are preserved.

In order for a firewall to work, it must be used in conjunction with reliable overall organizational security architecture.  

By combining an elaborate firewall that granularly limits traffic with a well-constructed configuration management system, a corporation is on its way to reducing weaknesses in perimeter security.

Cross-posted from
Possibly Related Articles:
Firewalls Network Security Configuration IDS/IPS Remediation SNMP Simple Network Management Protocol
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.