A firewall isn’t airtight. It’s only as reliable as the configuration running on it and its own security posture. The best way to ensure that a firewall is reliable is to close off all communication and allow only the necessary traffic and services through. It should log all traffic and decisions to an external logging service, such as an intrusion detection system (IDS), which monitors for suspicious activity. It’s important to keep firewalls up-to-date with vendor updates and patches. This ensures that it doesn’t become the reason for an intrusion to the network.
It takes time and effort to fully understand the device and the services it provides. To give you an example, let’s say that a security team is executing an external penetration test in which a firewall protects critical system assets. The security team discovers that the firewall’s Web interface isn’t disabled on the WAN (Internet-facing) interface. It is password protected and doesn’t appear that there’s any way in.
Further testing reveals that the firewall is running a vulnerable OpenSSL version that was afflicted by the Heartbleed vulnerability. This allows an attacker to extract memory dumps from the service. In the memory dumps, a recent login request containing the username and password is discovered. Attempting access with this login information, the team is able to open the firewall and gain access to the internal network. Thus, turning an external penetration test into an internal penetration test.
In this example, the security team gains enough access to the critical systems to successfully extract sensitive data that the firewall was implemented to protect. Consequently, it became the mechanism for the breach.