Despite the claims of some security vendors, every firewall on the market is susceptible to being hacked. Threat actors can still circumvent a firewall’s defenses using a variety of techniques.
In fact, 40% of security professionals said that half of cyberattacks bypass their Web Application Firewall (WAF), according to a Neustar study.
That’s not to say that firewalls aren’t a worthwhile investment; they are a crucial component of any security tech stack. But to protect your business more effectively, it’s important to be aware of the ways a hacker could bypass a firewall.
How Firewalls Work
To understand how a firewall can be hacked, it’s important to first know how it works. A firewall monitors incoming and outgoing network data, and either allows or denies that data to reach its destination depending on configured rules. Firewalls are considered an example of perimeter security because they are often the first line of defense in a network.
Firewalls can come in the form of physical hardware or software running on workstations or servers. Both forms of firewalls act as a filtration system, blocking malicious traffic such as viruses, malware and hackers.
Firewalls use at least one of the following methods to monitor network traffic:
- Packet or static filtering. This is the most common type of firewall. Packets (small amounts of data) that attempt to enter the network are analyzed against a series of filters. Then, the firewall determines whether they are allowed to enter or not depending on the source and destination of IP addresses, protocols and ports.
- Proxy service or application/gateway firewall. This method filters traffic at the application level. Proxy servers function as intermediaries, preventing direct connections between the device and incoming packets.
- Stateful inspection. This is a newer method that compares key components of the packet to a database, monitoring the packet for specific defining characteristics. If the packet is a reasonable match, it is allowed through.
- Next-generation firewalls (NGFW). These advanced firewalls combine traditional network firewall technology with web application firewalls (WAFs) to protect against both web-based and network attacks. A NGFW also incorporates other capabilities, such as intrusion prevention systems (IPS), antivirus and encrypted traffic inspection. One defining feature of a NGFW is deep packet inspection, which inspects the data within the payload of the packet rather than just the packet header.
5 Ways That Hackers Bypass Firewalls
Cybercriminals use a variety of techniques to circumvent a firewall. Here are 5:
1. IoT devices
Internet-enabled devices like smartwatches and smart home technologies are a common attack vector. IoT devices are also notoriously difficult to update, or they are managed by a third-party without regular updates. Plus, the sheer number of devices is enormous; 18 billion IoT devices are expected to be in use by 2022, according to telecom company Ericsson. That, combined with the fact that their security is often neglected, makes IoT a perfect opportunity for threat actors.
For example, a series of vulnerabilities, dubbed FragAttacks, enabled hackers to inject data into Wi-Fi traffic. These vulnerabilities were present in billions of Wi-Fi enabled devices. One of the more severe FragAttacks allowed hackers to force Wi-Fi devices to use a rogue DNS server to deliver users to malicious websites.
Plus, nearly all modern IoT devices come with a Universal Plug-and-Play (UPnP) feature that allows devices to communicate with each other. Since these devices use an automated protocol, they can easily bypass firewalls and deliver malware to the router.
2. Social engineering
Even the most secure firewall won’t protect against social engineering attacks. Social engineering tactics can range from phishing scams to phone calls in which cybercriminals pretend to be a system admin requesting access. One example includes a technique called NAT Slipstreaming, in which a threat actor sends a victim to a malicious site via a link. Once the victim visits the site, the threat actor can open any TCP or UDP port on their system, bypassing client-side port restrictions.
When hackers combine social engineering with tools such as a rootkit and remote access tool, they can access and have full control over a user’s system. That’s why it’s important to have additional security controls such as multi-factor authentication and comprehensive end-user training.
3. Application vulnerabilities
A firewall may be secure, but if it’s protecting an application or operating system with vulnerabilities, a hacker can easily bypass it. There are countless examples of software vulnerabilities that hackers can exploit to bypass the firewall. Firewalls themselves can have vulnerabilities, too, which is why it’s important to ensure to install the latest updates and patches.
4. SQL injection attacks
A traditional network firewall operates at the level of IP addresses and network ports. In the OSI (Open Systems Interconnection) model, for example, a network firewall operates at layers 3, 4 and 5 (network, transport and session layers). However, it doesn’t recognize other web-based protocols such as HTTP (Hypertext Transfer Protocol).
An entire category of attacks operate at the application level (OSI layer 7) that a network firewall simply won’t catch. One of those attacks is SQL injection, which exploits a vulnerability in an application’s software and then uses malicious SQL code to access information. Hackers often use SQL injection to steal credit card numbers or password lists.
A WAF, acting as a barrier between the web application and the internet, can prevent most SQL injection attacks. However, there have been some examples of SQL injection attacks in which an attacker bypassed the WAF.
Firewalls need proper configuration to effectively secure an organization, and it’s easy to make mistakes — especially when an organization makes changes in IT infrastructure, like during the transition to remote work. Examples of firewall misconfigurations include designating an incorrect zone or creating a rule that bypasses the egress filter. When a firewall’s policies are too permissive, it can lead to compliance violations and breaches.
Is a Firewall Enough Protection?
The short answer is no, a firewall alone isn’t sufficient protection for a business. Effective cybersecurity takes a layered approach, and a firewall is one of those layers.
A firewall is limited in that it can’t protect against phishing or social engineering attacks — a tactic found in 99% of cyberattacks, according to Proofpoint. Firewalls also require a lot of care and feeding; as threats emerge, vendors release updates to provide coverage for those threats. Some of those updates are automatically installed, but most will require an IT admin’s expertise.
NGFWs generally provide broader protection, offering the benefits of both a WAF and a network firewall. These solutions, like NGFWs from SonicWall and Palo Alto, can even perform the tasks of antivirus software, reducing the number of tools that you need to invest in. Software-based NGFWs are also easier to update; IT admins just need to download and install the update rather than replace physical parts in multiple appliances.
But businesses need more than a NGFW to address every security layer. At a minimum, a business should invest in a robust antivirus solution to protect against malware and some form of identity and access management, like multi factor authentication (MFA), to prevent hackers from gaining unauthorized access via weak passwords.
One of the most important components of a security strategy is having visibility over your environment. Having multiple security tools like antivirus and MFA is great, but those tools are nearly useless without some form of centralized logging to aggregate data and generate an alert whenever an anomalous event occurs. That’s where security information and event management (SIEM) comes in; it creates actionable events to alert IT and security teams so they can stop an attack in its early stages.
Try Blumira For Free
Traditional SIEMs are notoriously difficult to deploy and require a lot of manual configuration and fine-tuning to work effectively. Blumira leverages an in-house team of security experts to do the configuration and fine-tuning for you. Deployment takes a matter of hours, not days or weeks.
Blumira also takes SIEM a step further by using a 3-step rapid response approach. Blumira’s cloud-based threat detection and response blocks threats immediately; provides playbooks for fasted, guided response; and provides access to a team of security experts to help answer questions and improve your overall security posture.
Blumira easily integrates with several firewalls, including Check Point, Cisco, F5, Fortinet, Palo Alto, SonicWall, Sophos and WatchGuard.
Try Blumira for free today and start getting immediate security value.