There are competing schools of thought on this. On the one hand, allowing your firewall management to be accessible to the outside world is great if you need another way to get in because you locked yourself out or utilize the services of an MSP. On the other hand, remote management interfaces for firewalls have been the target of critical vulnerabilities and are quick to compromise.
At Atec, we are of the opinion that disabling your external-facing firewall management is a best practice. Due to recent developments – we use VPN’s to access external firewall management interfaces now, or we use ZTNA for our Fortinet clients. If something goes really wrong where we inadvertently push a breaking change, or something unforeseen happens where we lose access to the interface, we will go on-site to perform a restoration, or we will do an ad-hoc support session using 5G connectivity to what essentially amounts to a console server that we can have the client plug into the serial interface of whatever firewall we are managing.
Here are 2 reasons why we disable external access to firewall management interfaces:
- Zero-Day Attacks – There have been a litany of Zero-Day exploits for firewall manufacturers.
- Fortinet CVE-2022-42475 – Affected management interfaces and the SSL VPN portal.
- Cisco Identity Services Engine Vulnerability – This affected not just firewalls but many other Cisco IAM products.
- CVE-2022-0030 PAN-OS Auth Bypass in Web Interface – This affected Palo Alto boxes running anything running the 8.x version of their firmware.
- Malicious Scans – There are hackers out there that scan entire IP blocks and run scripts that will try to determine what kind of equipment you are running. Hackers are generally lazy and will use automation where they can. This is used in the recon phase of an attack. Suppose they know what you are running at the edge. In that case, they can gain leverage in various attack modes from Zero-Day attacks, as mentioned previously, or they can socially engineer you by pretending to be a vendor or MSP. We don’t believe in “security through obscurity” as a primary practice, but it is part of our overall approach to security.
What Can I Do To Secure My Firewall Management Interface?
We recommend disabling the management interface that faces the internet but keeping it live within your network and accessible from your VPN tunnel. If you are not running a VPN but use a remote access solution, we recommend designating a VM or a standalone machine as a “bastion box” (Also known as a Jump Box) that you run aggressive security on.
An alternative to a VPN or a Jump Box, Fortinet has a solid Zero-Trust offering. Suppose you are not ready to deploy something like ZTNA. In that case, Cloudflare has a Zero Trust solution that is cost-effective, highly secure, and has a variety of other use cases that could replace the need for VPNs entirely depending on what services in your network you want to make available to remote workers.