Is your edge and border defence tech vulnerable, and what to do about it

Following a number of recent high-profile events, edge and border defence technologies such as firewalls, VPN gateways and intrusion prevention systems have been getting a lot of attention from both security researchers and threat actors alike.

These include a mass exploitation campaign against Fortinet firewalls, summer 2024’s CrowdStrike outage, and the use of a vulnerability to disable Palo Alto firewalls, among others – each of which has resulted in various levels of disruption. The issues are of particular concern because they specifically target the systems employed to protect our networks from threats.

Some recent reports revealed that zero-day attacks against such devices remained active and undetected for months before discovery, with vulnerabilities left in place even after patches have been issued. As such, the need for a more proactive approach to securing devices is more urgent than ever. This is because, should cybercriminals gain a foothold in these technologies, they can potentially control the entire network behind the device as well as the outward traffic flow.

But how can these issues be addressed? From the security leadership perspective, it’s important to understand that edge and border security devices are not inherently secure. Yes, they perform a vital role and have done so for many years – firewalls are used by 75% of UK businesses, for example – but to ensure they remain fit for purpose, they require a best-practice approach and regular updates.

On a practical level, this can include checking device configurations, reviewing and adjusting default logging and alert settings, and limiting the exposure of management interfaces and sensitive services to the public Internet. Organisations should also plan for the possible; including scenarios that assume their devices have been compromised.

Consider the risks associated with misconfigured devices, for example, which can unintentionally expose management interfaces and protocols to the Internet and make them visible to anyone who wants to find them. This is despite the fact that, unless the service it provides is intended for general public consumption, relatively few edge and border defence technologies need to be entirely Internet-facing. Instead, access should be restricted on a zero trust/needs–must basis.

Taking this a step further, it’s also a good idea to limit the locations from which an edge or border defence device can be accessed to locations that are predictable. In this situation, security teams can more easily apply rules, permissions and access controls that trigger alerts if abnormal access attempts are made. An example of this approach is when device access is routed through a VPN or jump box, which ensures the location is always predictable and under control. For those organisations where the use of a VPN is not an option, access can be restricted to specific physical locations to maintain that valuable layer of control.

Being proactive about edge and border defence device security also relies on processes such as penetration testing, which can help identify misconfigurations and instances where there is unwanted direct Internet access. A holistic approach that tests as many externally-facing devices as possible can ensure security teams have a complete picture of any potential access-related vulnerabilities. Armed with this insight, it’s much easier and more effective to improve security posture and ensure the door isn’t inadvertently left wide open.

Another area of edge and border defence often neglected is when organisations rely on – or forget to update – the default logging settings across their devices, which are often inadequate for tracking and analysing potential threat exploits. Moreover, many organisations will only retain device logging and alert data for just a few weeks – an approach that, in the event of a security incident, makes it more difficult to conduct the necessary forensics work and understand attack origins. This is particularly true in the case of zero-day attacks, where exploits can remain undetected and active for weeks and even months. To remain proactive, organisations should conduct regular (and ideally real-time) logging analysis to identify abnormal behaviour on the network and detect potential threats.

The overall message behind these best practice points is these critical security devices aren’t just plug-and-play. While they are increasingly sophisticated and offer various automation capabilities, they remain vulnerable to attack. Threat actors rely on organisations to forget, ignore, or deprioritise setup, maintenance, and updates. They will target organisations with weak defences, vulnerable entry points, and who are put at risk by zero-day exploits and other vendor-specific security issues. In contrast, those security teams that can close each device-related security loophole can ensure their edge and border defences are robust and up to the challenge of keeping networks secure.