Meritshot
Cyber Security

The Firewall Rule Your Team Wrote Is the Gap the Attacker Walked Through

A contractor needed temporary access to a staging server 18 months ago. The access request was closed. The firewall rule was never removed. The server was repurposed. The attacker was in the network for 22 days. Here's how firewall rule accumulation becomes an attack surface.

Meritshot Team7 min read
Cyber SecurityFirewallNetwork SecurityMisconfigurationBlue TeamSecurity ArchitectureZero Trust
Back to Blog

The Firewall Rule Your Team Wrote Is the Gap the Attacker Walked Through

The breach investigation report said the attacker had been in the network for twenty-two days before detection. The entry point wasn't a zero-day. It wasn't a sophisticated supply chain compromise. It wasn't a nation-state APT technique that nobody could have anticipated.

It was a firewall rule that permitted inbound traffic on port 8080 from any source to a development server — a rule that had been written eighteen months earlier for a contractor who needed temporary access to a staging environment. The contractor's engagement ended. The access request was closed in the ticketing system. The firewall rule was never removed.

The development server in question had been repurposed. It was now running a service that had credentials for three production databases and write access to the authentication microservice. The firewall rule that said "temporary contractor access" had become "permanent path from the internet to production data."

Nobody intended this. Everyone who touched the system between the original rule creation and the breach was competent and well-intentioned. The problem was structural.

Server infrastructure and network firewall

Rule Accumulation: The Technical Debt That Becomes an Attack Surface

Firewall rule sets don't shrink. In every environment that has been running for more than two years, the default trajectory of a firewall rule set is growth — rules get added for legitimate operational reasons, rules get added for temporary exceptions that become permanent, rules get added by multiple teams without coordination, and rules almost never get removed because removal carries perceived risk and addition carries perceived safety.

The result is rule bloat: a firewall policy that has grown to hundreds or thousands of rules, where the effective security posture is determined not by the rules that were intentionally written but by the interaction between rules that nobody has mapped in their entirety.

The four categories of rules that shouldn't exist but always do:

1. Orphaned rules — rules created for systems, services, or users that no longer exist. The system was decommissioned, the user left the company, the service was migrated — but the rule remained. These rules are invisible in operational dashboards because they never fire on legitimate traffic. They are only visible when an attacker discovers the open port and uses it.

2. Overly broad rules — rules that permit access from "any source" when access should be restricted to specific IPs. The original author used "any" for convenience during testing and never narrowed it before production deployment. "Any" means any device on the internet.

3. Shadow IT rules — rules created by teams outside the security perimeter to enable tools and services that weren't formally approved. These rules exist below the documentation threshold and are often unknown to the security team.

4. Overlapping rules — rules that create effective permissions through combination that no individual rule was intended to create. Rule 147 permits traffic from subnet A to server group B. Rule 203 permits traffic from server group B to the financial systems. Together they create a transitive path from subnet A to the financial systems that neither rule's author intended.

What a Proper Rule Should Document

Every firewall rule should be self-documenting. Rules without context cannot be safely reviewed or removed.

Minimum documentation for every rule:

Rule ID: FW-2024-0847
Description: Allow contractor ACME Corp access to staging API server
Business justification: Contractor requires access for integration testing during SOW-2024-Q1
Source: 203.0.113.0/28 (ACME Corp office IP range - verified 2024-01-15)
Destination: 10.20.30.45 (staging-api-01.internal)
Port/Protocol: TCP/443 (HTTPS only)
Created by: J. Smith (jsmith@company.com)
Approved by: IT Security Lead + Department Head
Created: 2024-01-15
Expiry: 2024-03-31 (end of SOW)
Review date: 2024-02-15 (mid-engagement review)

Rules with expiry dates can be automatically flagged for review. Rules with specific source IP ranges rather than "any" limit exposure. Rules with documented justification can be evaluated against current operational need.

The Audit Process That Finds Real Gaps

A firewall audit that checks rules against policy and documentation misses the most dangerous category: rules that are technically correct in isolation but create unintended paths through the network in combination.

The correct audit approach:

Step 1: Enumerate all rules and identify documentation gaps

Any rule without a documented business justification, expiry date, or originating ticket reference is an immediate review candidate. These rules exist without auditable justification — they may be legitimate, they may be orphaned, they cannot be safely categorised without investigation.

Step 2: Map effective permissions, not rule-by-rule permissions

Use a firewall analysis tool (Tufin, AlgoSec, RedSeal) to map what effective network paths exist, not what individual rules permit. The question is not "does rule 203 permit this traffic" but "can a device on subnet A reach the financial systems, through what path, and was that path intentional?"

Step 3: Test rules against current infrastructure state

Verify that every "destination" in every active rule maps to a system that still exists and still serves the purpose documented in the rule. Firewall rules pointing to IP addresses that now host different services than when the rule was created are orphaned relative to their original intent even if the IP is still active.

Step 4: Identify temporary rules that became permanent

Filter rules for those created over six months ago with no review date or with expiry dates that have passed. These are the contractor rules, the emergency exceptions, the "we'll fix this properly later" workarounds that were never fixed properly.

Network security and firewall configuration

Zero Trust as a Structural Response

The firewall rule accumulation problem is a symptom of the castle-and-moat security model: define a perimeter, trust everything inside, block everything outside. Once something is inside the perimeter (through a legitimate firewall rule or through a breach), it moves freely.

Zero trust replaces perimeter trust with continuous verification: no network location is trusted by default, every access request is authenticated and authorised regardless of source, and access is granted at the application/service level, not at the network level.

The practical implication for firewall architecture:

Instead of a firewall rule that permits traffic from subnet A to subnet B across port range 1024-65535, zero trust architecture establishes application-level access controls: user/service X is permitted to call API Y with specific methods, regardless of what network segment X is on.

This doesn't eliminate firewall rules — it changes what they do. Firewalls in a zero trust architecture enforce macro-segmentation (which network segments can communicate at all) while fine-grained access control lives at the application layer. The result is that a compromised system in one network segment cannot move laterally by exploiting broad firewall permissions — it is still constrained by application-layer authentication requirements.

The Minimum Viable Governance Process

Rule lifecycle management:

  • All rules require a business justification and approving authority
  • All temporary rules require an expiry date and are automatically flagged at expiry
  • All rules are reviewed every 90 days — not just exceptions, all rules
  • Rule removal requires the same approval process as rule creation (the asymmetry that causes accumulation is removed)

Change management:

  • Infrastructure changes (server repurposing, service migrations) trigger a firewall rule review for all rules pointing to the affected assets
  • Contractor and vendor access rules are tied to contract end dates and removed on contract closure

Testing:

  • Quarterly penetration testing includes firewall rule validation — verify that the actual permitted paths match the intended permitted paths
  • Annual external network assessment identifies services exposed to the internet that shouldn't be

The twenty-two-day breach started with a firewall rule that was correct on the day it was written and never revisited. The attacker didn't need a zero-day. They needed a port scanner and a legacy rule that nobody had looked at in eighteen months.

Recommended

View all Cyber Security articles