🥷The Misguided View of Firewalls | How Cybersecurity Professionals Are Failing One of Their Key Defenses♨️

In today's landscape of increasingly complex cyber threats, one fundamental tool is often overlooked, misunderstood, or outright maligned by many cybersecurity professionals: the firewall. Despite being one of the oldest and most essential components in network security, firewalls have somehow acquired a poor reputation in certain cybersecurity circles. This leads to an overall weaker security posture for organizations that should be relying on them as a critical layer of defense.

It's ironic, considering that the top 5 cybersecurity companies in the world—all giants in the field—derive a significant portion of their revenue from firewall solutions. So, why has the administration and configuration of firewalls become so subpar, and how did we reach the point where firewalls are being treated as sieves rather than the robust barriers they are designed to be?

Many cybersecurity professionals hold a negative view of firewalls, with one sock puppet even claiming that firewalls account for only 0.1% of a business's security posture.

Poor Administration of Firewalls | A Self-Fulfilling Prophecy

One of the most damaging myths perpetuated in cybersecurity today is that firewalls cannot stop ransomware. This belief is a direct result of poor firewall configuration, where administrators either lack the necessary skills or fail to implement proper rules, turning what should be a formidable line of defense into an ineffective gate.

Firewalls, when configured correctly, can stop many types of attacks, including ransomware. However, the reality on the ground paints a grim picture:

1. Misconfiguration and Any/Any Rules: Many firewalls today are configured with "any/any" rules, allowing any type of traffic in and out of the network. This essentially nullifies the firewall's purpose. Instead of blocking malicious traffic, these rules allow everything through, making the firewall as effective as a door with no lock.

2. Lack of Understanding of Networking: Cybersecurity professionals, especially those primarily focused on endpoint agents, often lack the networking knowledge required to configure and manage firewalls effectively. As a result, they treat firewalls as an afterthought, giving priority to endpoint solutions while leaving gaps at the network perimeter.

3. Arcane Vendor Software: Firewall vendors also share the blame. Many of the top firewall solutions on the market have complex and unintuitive interfaces, making it difficult for even well-intentioned admins to deploy them properly. This complexity is further compounded by infrequent updates, lack of documentation, and poor customer support.

The idea that firewalls cannot stop ransomware has become a self-fulfilling prophecy because of these poor practices. Instead of focusing on making firewalls work correctly, many cybersecurity professionals simply abandon them, shifting focus to endpoint detection and response (EDR) tools while neglecting a key line of defense.

The Firewall Blind Spot | Lack of IP Blocklist Implementation

One glaring oversight in many firewall configurations is the failure to implement IP blocklists. This simple yet highly effective method is underutilized, despite its proven ability to significantly improve security.

What Are IP Blocklists?

An IP blocklist is a list of known malicious IP addresses or domains that are blocked from accessing the network. These lists can be automatically updated and curated by security services or managed internally by an organization's security team. The use of IP blocklists allows the firewall to automatically block traffic from or to known malicious sources, reducing the attack surface and preventing malware, ransomware, and other threats from ever reaching the network.

A great example of blocklist effectiveness is the use of Real-time Blackhole Lists (RBLs) in email security. Over 80% of email blocking in most organizations relies on RBLs, which filter out spam and phishing emails by rejecting connections from known malicious IP addresses. Without RBLs, email security would be far less effective.

The Benefits of IP Blocklists on Firewalls

IP blocklists on firewalls function much like RBLs for email:

1. Prevents Malicious Traffic: IP blocklists stop malicious traffic from ever entering the network, preventing ransomware and other malware from gaining a foothold in the first place.

2. Identifies Internal Compromises: Monitoring outbound hits to known malicious IP addresses can help identify compromised devices within the network. If a device tries to contact a malicious IP, it may indicate that it has already been infected, allowing security teams to act quickly and contain the breach.

3. Covers the Entire Network: Unlike agent-based solutions, which are only as effective as the endpoints they are installed on, IP blocklists apply to all traffic crossing the firewall. This means blocklists can protect every device on the network, not just those with security agents installed.

Despite the clear benefits, few organizations use IP blocklists effectively on their firewalls. This failure stems from both a lack of awareness and a poor understanding of how blocklists can enhance overall security posture.

Cybersecurity Professionals | Fiddling with Endpoints While Rome Burns

There is a growing culture among cybersecurity professionals that focuses almost exclusively on endpoint security, often to the detriment of the network's perimeter. Many of these professionals are so focused on installing and managing security agents on individual devices that they fail to see the bigger picture. This approach leads to:

• Overreliance on Agent-Based Solutions: Endpoint security tools are essential, but they are only one part of a comprehensive security strategy. Focusing solely on endpoints ignores the broader network infrastructure and leaves organizations vulnerable to threats that bypass endpoints entirely.

• Failure to See the Forest for the Trees: By obsessing over individual endpoints, cybersecurity teams often miss larger network threats that could be blocked at the perimeter. Firewalls, properly configured with IP blocklists, can serve as an early line of defense that catches threats before they spread across the network.

This "fiddle-with-endpoints" mentality has caused a significant decline in overall security hygiene, with firewalls left as neglected relics instead of vital network gatekeepers.

Wrapping Up | Time to Pull Up the Socks

The role of the firewall in cybersecurity is not just important; it is foundational. Unfortunately, many cybersecurity professionals have failed to properly implement or administer these tools, leading to a belief that firewalls are ineffective against modern threats. This is simply not true.

In reality, the failures lie not with the technology, but with its implementation. The lack of IP blocklists, misconfigured "any/any" rules, and the absence of networking knowledge all contribute to firewalls becoming information security sieves.

It’s time for cybersecurity professionals to step up, improve their firewall game, and adopt a more holistic approach to security that includes proper firewall configuration, IP blocklists, and network segmentation. Otherwise, the myth that "firewalls can't stop ransomware" will continue to propagate, and the state of cybersecurity will only deteriorate.

The security industry needs to stop blaming the tools and start improving their usage. Firewalls are far from obsolete—they just need to be used correctly. It's time for cybersecurity teams to pull up their socks and stop relying solely on endpoint solutions.

---

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa. Learn more about the best SD-WAN provider in the world! 👉 Contact Fusion