⛄The Abominable Firewall | A Common Threat Born of Neglect 🥶

Firewalls are often regarded as the first line of defence in cybersecurity, serving as gatekeepers in a castle-and-moat architecture. However, far too many businesses unwittingly deploy what we’ll call “The Abominable Firewall.” Unlike its mythical namesake, the abominable snowman, these poorly configured and poorly managed firewalls are anything but rare. In fact, they are alarmingly common and pose a significant risk to organisations everywhere.

Here, we delve into what makes a firewall "abominable," why this is such a persistent problem, and how organisations can address this critical failure.

---

The Anatomy of the Abominable Firewall

An abominable firewall is not inherently bad hardware or software; instead, it’s the result of poor administrative practices. These firewalls suffer from:

1. Lack of Documentation
   Have you ever seen detailed documentation for a firewall rule set?

   • Who created the rule?

   • When was it created?

   • Why does it exist?

   • What is it supposed to do, versus what it is actually doing?

In most cases, the answer is a resounding “no.” The absence of documentation makes it nearly impossible to review, audit, or clean up rules. Over time, this leads to a bloated, chaotic ruleset that no one understands.

2. Fear of Breaking Things
   Administrators are often too afraid to disable rules, fearing that something might break. This hesitation stems from a lack of confidence in the ruleset and an absence of systematic processes. A well-documented firewall would eliminate this fear because changes could be tested and verified against clear records.

3. Static Over Dynamic
   Many administrators shun dynamic configurations, believing them to be risky. This misunderstanding leads to rigid, static rules that fail to adapt to evolving threats. Secure dynamic processes, such as integrating threat intelligence feeds to drop malicious packets, are often ignored entirely.

4. Unusable User Interfaces
   Firewall vendors also share the blame. Their interfaces often require dozens of disjointed configuration steps for a single function. The lack of process integration makes administration unnecessarily complex and error-prone.

---

Symptoms of an Abominable Firewall

• Excessive Rule Count
  At Telkom, one extreme case involved a firewall with 2 million rules that took 20 minutes just to boot. Such sprawling rule sets are unmanageable and prone to errors.

• No Use of Groups
  Groups are essential in a firewall for normalising and minimising the ruleset. By grouping similar IPs, services, or ports, administrators can replace hundreds of redundant rules with a handful of logical, efficient ones.

• Rule-Order Dependency
  Instead of leveraging inherent logic to create concise rules, abominable firewalls rely on rule-base order processing, resulting in multiple overlapping and redundant rules.

• Lack of Internal Segmentation
  Many firewalls only enforce rules at a single choke point between private and public networks. This approach ignores the benefits of internal segmentation, where multiple enforcement points divide the internal network into isolated segments.

---

Why the Abominable Firewall Fails Businesses

1. Ransomware’s Best Friend
   Poorly managed firewalls are often the root cause of ransomware attacks making headlines. After a breach, so-called “experts” deflect responsibility, claiming the firewall could not have stopped the attack. The reality is that a properly configured and monitored firewall could have mitigated or prevented the breach.

2. Reactive, Not Proactive
   Abominable firewalls are a symptom of reactive administrators who lack the structure, foresight, and planning needed to maintain an effective defence.

3. Missed Opportunities
   Without leveraging dynamic configurations, threat intelligence feeds, or internal segmentation, abominable firewalls fail to utilise their full potential.

---

How to Fix the Abominable Firewall

1. Document Everything
   Create and maintain detailed documentation for every firewall rule. Include who created it, when, why, and how it aligns with business objectives. Regularly review and update this documentation during audits.

2. Leverage Groups
   Use groups to consolidate rules and reduce complexity. For example:

   • Instead of individual IPs, use IP ranges or address groups.

   • Combine similar services into service groups.

3. Implement Internal Segmentation
   Increase the number of enforcement points within the network by segmenting traffic between departments, data centres, or device types. This reduces the attack surface and limits lateral movement for attackers.

4. Adopt Dynamic Processes
   Integrate dynamic threat intelligence feeds to block malicious traffic in real time. Use routing protocols or dynamic updates to adapt to changing conditions and threats.

5. Simplify Configuration
   Demand better from firewall vendors. Push for UI improvements that streamline configuration processes, reducing the likelihood of errors and misconfigurations.

6. Train Administrators
   Ensure administrators have the skills and knowledge to manage firewalls proactively. Training should focus on:

   • Best practices for rule creation and maintenance.

   • Leveraging advanced features like dynamic updates and segmentation.

---

The Role of the Firewall Vendor

Firewall vendors must step up by designing solutions that are easier to configure and manage. Integration of processes into logical workflows—rather than disjointed UI elements—would significantly improve usability and reduce administrative errors.

---

Wrap

The abominable firewall is not a technological failure but an administrative one. Proper management, documentation, and use of advanced features can transform a chaotic, ineffective firewall into a robust cornerstone of cybersecurity. Businesses must demand more from their administrators and vendors alike, ensuring that their first line of defence is anything but abominable. With proactive measures, structured processes, and a commitment to excellence, the abominable firewall can become a thing of myth—just like its snowbound namesake.

---