FirewallFortinet

10 Common Firewall Mistakes That Hackers Love

Sanjay Seth
May 13, 2025
256 0
0
139
5
Shares
1
Fix these firewall mistakes before hackers exploit them.

Top 10 Firewall Mistakes That Put Your Network at Risk

Hi, this is 3rd coffee here at my desk and I’m still running on overdrive with DefCon hardware hacking village, keeps me humble when it’s so easy to find basic mistakes even in a world of shiny new tech. I’ve been doing this since the early 90s — started as a network admin when voice and data muxing over PSTN was cool (also, ages me) and lived through the Slammer worm and its nuttiness on networks.

These days, I’m running my own security shop, and I just helped three banks move to zero trust. Now that’s what I call layered security! Despite how much we may have evolved in this regard, firewall misconfigurations continue to be the low-hanging fruit hackers pluck like candy.

So without further ado, here are 10 firewall misses I see all too frequently. These are not the holes kickstarter is poking, these are the side-steps, or blowout, or outright submersion. Quick heads-up: Start by reading the Quick Take; if you’re pressed for time, skip to the Quick Take — but you won’t want to.

1. Open RDP Access

The horrors of open RDP (Remote Desktop Protocol). When I entered, RDP was not even in the thoughts of most attackers. Fast forward — I’ve also seen (up close and personal) how RDP ports, and especially the stock 3389, are honey for bad guys. This error alone has resulted in ransomware takeovers multiple times for customers.

Automated bots are employed by hackers to check for open RDP ports. When they find one, the process of password guessing or factor stuffing begins. And oh, by the way, many companies still do not restrict access to known IPs or enforce MFA for RDP.

Here’s the thing:

  • Avoid leaving RDP open to the internet
  • Through VPN tunnels or zero trust controls gate it
  • Use Multi-factor authentication is a must
  • Change default ports (security by obscurity is not your primary defense though)

Believe me, an up-to-date RDP setup is to information security what locking your car doors at night is to protecting all that candy you have in your pockets from being stolen. If you don’t do it, don’t be shocked when something is taken — perhaps even your portable spreadsheet machine.

2. Poor Logging Practices

Logging is about as popular as a tiresome chore. I was as guilty of this as anyone in the early days — and who’d look through logs anyway? But logs are the black box of your firewall. Without good logs, investigations into attacks are akin trying to repair your car engine blindfolded.

Large numbers of organizations either log too little or keep logs for too short a time. Worse, logs aren’t actually reviewed or parsed often, so the warnings never get noticed.

Important logging essentials:

  • Do comprehensive firewall logging, including dropping packets
  • Securely store logs and maintain for the required compliance period
  • Regularly check logs or rely on automated analysis (but watch out for claims of AI-powered — you need human review)

Ignoring logs? It’s like driving a Ferrari without a dashboard — you’re flying blind.

3. Disabled Threat Detection

I have seen some of client firewalls where the threat detection is disabled for the sake of performance. Really? That’s the equivalent of powering down your car’s brakes because it uses less gas. Threat detection capabilities – IDS/IPS, malware filter – are designed to catch or block anything amiss.

Some even depend only on perimeter firewalls, oblivious to the reality that attackers move around inside networks as well. Firewalls with no realtime threat detection is all wishful thinking.

Here’s my take:

  • Do not turn off IDS/IPS on your firewalls
  • Tailor Threat Signatures to your environment
  • Keep firmware and signatures updated on a regular basis

Attackers are creative every day, not having a firewall in fullerenes is playing with fire.

4. No Geo-Blocking

Between pretty much any two nations in the world, nothing would appear to be inherently wrong with this kind of blocking technologies. For example, banks I worked with swear by only allowing traffic from countries it does business with (that’s geo-blocking). Simple but effective. But a lot of organizations don’t turn on this feature, leaving firewalls open to global noise.

Not every business has that much “can” in their “block strictly,” but blocking high-risk geographies or known hostile regions is a panacea for a lot of unwanted traffic—risk and load.

Why skip geo-blocking? Others, it’s the “but we have people working remotely worldwide” excuse, and that’s a fair one. But I advocate granular policies that can reconcile access with security.

This is no silver bullet — but it’s akin to building a fence around your garden. It won’t stop everything, but it keeps most riff-raff out.

5. Unsecured VPNs

VPNs are the gateway drug for hackers when misconfigured. Just last month, working on a bank’s zero-trust setup, we found VPNs that permitted weak encryption and nothing at all for endpoint checks.

When VPNs are improperly secured:

  • Credentials get intercepted
  • Network access is acquired by infected devices
  • Intruders burrow in undetected

Best practices for VPNs:

  • Employ robust encryption (that means no more PPTP, people)
  • Endpoint compliance checks deployed
  • Cloud-native zero-trust segmentation with VPN access combined

Don’t forget, even the most secure VPNs are little more than a fancy door with no lock if they’re not properly authenticated and vetted.

The Rest I See All the Time (a Little)

  • Default firewall rules in place: Perhaps allow all outbound is a rule a defense contractor might faint at the sight of, but you — yes you — might even be to blame.
  • Trust Levels Too High: Trusting too much, in other words, this person is family.
  • Outdated firmware; We see devices with firmware from 2015 because “it’s stable.” News flash: stable to hackers is not secure.
  • Failing to Firewally Internally: Caring only about the first layer of defenses. Internal division wins elections.
  • No or Weak MFA on Firewall Admin Access: You wouldn’t leave your server room unlocked, so why leave firewall access wide open?

Quick Take For the Busy Execs

  • Lock down RDP — no exceptions, no excuses
  • Log like your life depends on it (because it does)
  • Flip the switch open on threat detection notice — don’t be lazy
  • Block dangerous geographies to limit noise and dangers
  • Lock down your VPNs: Don’t trust the tunnel alone

Wrapping It Up

Here’s my somewhat grumpy, but well-intentioned advice: firewalls are your first line of defense, but they suck without the human hands and brains behind them. I have witnessed all these and made some myself (when I thought that open access equals easy administration).

Security is not a set-it-and-forget-it. It’s an ever-evolving battleground. It’s not an option to take these things into account if you want to achieve your network to be as secure as a classic Rolls Royce stored in a locked garage.

Well PJ Networks Pvt Ltd is here to help you find those holes before the bad guys do. Because — and I mean this — every misconfiguration is an invitation. And hackers? They’re always RSVP-ing.

Alright, coffee 4 is calling. Stay sharp out there.

Sanjay Seth

Sanjay Seth

Sanjay Seth

What's your reaction?

Related Posts

1 of 232
© 2025 Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog - Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog by Sanjay Seth.
© 2025 Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog - Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog by Sanjay Seth.