Why Default Firewall Settings Are Putting Your Business at Risk

And here I am — third cup of coffee in, typing away, thinking about firewalls once more. You know, there’s one thing that blows my mind 30+ years into networking and cybersecurity (yes, I mean it, I started doing my sysadmin chores back in ’93 when dial-up was king). How often you see businesses run with their firewalls on default settings. I have seen this firsthand, from fighting off the Slammer worm nearly two decades ago to assisting three large banks to upgrade their zero-trust architecture just recently. And believe me, not understanding firewall basics is about as bad as not locking the front door then being surprised that you got robbed.

Default Settings? Sounds Innocent, but Dangerous

These are designed to be a fast start, right? But here’s the rub—default doesn’t mean secure. It means vulnerable. And that’s an open house for attackers. Let me explain to you why those settings are so important, why default firewall settings are making your business vulnerable, and what you can do about it.

1. Default Passwords

Oh, boy — this could be a whole rant. Default passwords are the easy pickings for hackers. Really, you buy a classy sports car and then leave the keys in the ignition and a sign taped to the windshield that reads COME TAKE ME OUT FOR A SPIN. That’s your firewall, using default credentials.

Back in the ‘90s, when I was starting up, I found one incident where someone in the company left a firewall with the default admin/admin password during a maintenance window. A couple hours later—boom! — an external IP was trying to get in without permission. It was a pain in the butt and cost the company a lot in downtime.

Here’s how we prevent this no-brainer mistake at PJ Networks:

• Change any password upon first use. No exceptions.
• Use strong passphrases — that is, at least 12 characters, with a combination of upper and lower case, numbers and symbols. Yes, it’s annoying. Yes, you will forget it (write it down and keep it safe). But that’s better than getting hacked.
• Use role-based access controls — restrictions on who can do what.

Password rules can be dull, but they prevent you from having nightmares.

2. Open Management Interfaces

This is the one that haunts me at night. Management interfaces—think SSH, web GUIs and SNMP—tend to be exposed to the internet by default. And guess what? Attackers scan entire IP ranges to find exactly these open doors.

At DefCon recently (seriously, still giddy from the hardware hacking village, why haven’t you been, go), they had this really cool demo about how you can compromise an open management port in x number of minutes. It’s not sci-fi; it’s real.

The fix?

• Do not allow management interfaces to be accessible directly from the internet. Always lock access down to VPNs or whitelisted IP addresses.
• Alter default management ports – default ports are quite literally the first place attackers look.
• Turn on logging and alerting — watch every access attempt like the success of your business depends on it (because it does).

3. Weak Default Rules

Firewall rules out of the box usually go for convenient rather than secure. It’s like having a restaurant kitchen with the back door open all the time the restaurant is open. Some of the traffic is allowed in/out unfiltered, providing an easy way through for attackers.

I came upon a customer (one of those 3 banks we just upgraded) many years ago working for a bank where on their firewall there were out-of-the-box allowed a lot of inbound protocols they didn’t need to have. Closing those gaps was a game changer in terms of mitigating their risk.

Here’s the bottom line:

• Transition from allow all to a least-privilege approach. Allow only what is strictly necessary to conduct business.
• Periodically review firewall rules— old, dusty, and over-broad rules add up fast and increase blast radius.
• Segment your network to contain the impact of potential breaches.

4. Disabled Security Features

Occasionally settings may come out the box with certain security features disabled to make things easier e.g. you may need to enable some security features or set a password. Threat detection, deep packet inspection, intrusion prevention systems (IPS) are all essential, but usually turned off by default.

I confess—even I ignored some of these things, years back, in the hopes of a clean setup and better performance. Big mistake. And after watching malware slip through gaps I hadn’t known were there, I learned the hard way.

Don’t be that guy.

• Turn on every security feature in your firewall the very first day. That includes things like IPS, DoS protection, content filtering and logging.
• Fine tune the features to your environment so you don’t get overwhelmed in false positives.
• Keep your firewall definitions up-to-date. No excuses here.

5. No Multi-Factor Authentication

If you believe that a password is all that stands between your firewall’s management interface and the entire rest of the internet, you must also think Capital One has the best security. Your guard, when credentials are stolen, is multi-factor authentication (MFA).

Just recently, at PJ Networks, we assisted a bank in retrofitting MFA over their firewall control in an overhaul they call zero trust. Result? Vastly lower risk of unauthorized access — even if passwords were phished.

Quick facts:

• Enable MFA for all administrative access. Favor hardware tokens and authenticator apps over SMS.
• Have a process to consistently check who has MFA and who doesn’t – no slacking off.
• Train your team to recognize phishing attacks, because MFA is not a panacea. It’s a vital layer.

Quick Take

I don’t have to remind you that cyber threats are constantly changing, however, you would do as well to be satisfied that default firewall settings will keep them at bay, as you would if you parked your car in a bad neighborhood left the doors unlocked. It’s asking for trouble.

Here’s what matters:

• Change default passwords.
• Restrict management access.
• Review and reduce the number of allowed firewall rules.
• Turn on security features that come turned off.
• Mandate multi-factor authentication.

Don’t wait for a breach. Guard your business as if your life depends on it — because it does.

Some Final Thoughts

Cybersecurity isn’t what you get when you buy the next shiny thing in tech, or when you deploy whatever solution incorporates the most commonly recurring words at CES in a particular year. It’s about hard work, best practices and sometimes just straight-up common sense. I see companies surprised every day by these realities because they ignored these basics. And yes, it’s frustrating — it’s as if you handed the keys to a Ferrari to someone and left it unlocked.

But here’s the good news: Firewall security is manageable. Here at PJ Networks we’ve been setting up secure network firewalls from day 1 for like forever! Whether you’re a bank, an SMB, or a small startup — it can make an enormous difference to go through this process.

So, when next you’re reviewing your firewall setup – remember – default doesn’t mean safe. Change your defaults. Harden your security. And for the love of Mike don’t skip your third coffee before you check those config files. You’ll thank me later.