Why Firewalls Are Often Misconfigured
In many environments, firewall rules have grown historically, there is no clear structure, and the system is optimised for "works somehow". The result: complexity without control.
The firewall is running, no alarms are sounding — but that does not mean the configuration is correct. In practice, it is precisely these grown rule sets that deliver the biggest surprises during a structured network security assessment.
The Most Common Configuration Mistakes
1. Any-to-Any Rules
The classic: source ANY, destination ANY, port ANY. These rules typically arise from time pressure — and remain permanently in place.
- Effectively no segmentation
- Full attack surface across the entire network
Every system that is compromised can then move freely to all others.
2. Missing Rule Structure
Typical symptoms: hundreds of unsorted rules, no naming conventions, no documentation. This makes it impossible to change anything safely — nobody knows what each rule does or why it exists.
A targeted firewall review provides transparency here: which rules are actively used, which are redundant, and where real gaps exist.
3. Shadow Rules and Redundancies
In grown rule sets you regularly find:
- Duplicate rules that overlap each other
- Permissions no longer used for decommissioned systems
- Contradictory configurations with unclear effect
This leads to hard-to-analyse incidents and turns every audit into detective work.
4. Missing Segmentation
Firewalls are often used exclusively as perimeter protection. What is missing:
- Internal segmentation between network areas
- Control between VLANs
- Isolation of critical systems (servers, OT, management)
This is one of the most consequential mistakes. Without internal segmentation, a single compromised machine is enough to threaten the entire network. Clean network architecture prevents exactly this scenario.
5. No Logging or Monitoring
Many firewalls log too little — or the logs are never reviewed.
- Attacks go unnoticed
- Incidents cannot be reconstructed after the fact
- Compliance evidence is missing
Without logging, not only is security compromised. Against NIS2 and other regulations, the traceability required in an emergency — or during an audit — is also absent.
6. Temporary Rules Become Permanent
A classic pattern: a short-term permission is set up, no review is planned, and the rule remains permanently. Systems long decommissioned still have open ports. Access set up for a project still exists years later.
Practical Impact
Misconfigured firewalls are not a theoretical risk. They directly lead to:
- Lateral movement — attackers move unhindered through the network
- Uncontrolled access — between systems that should never communicate
- Missing incident forensics — because logs are absent or incomplete
- Compliance violations — particularly against NIS2, DORA and ISO 27001
In real incident analyses, the pattern is consistent: the entry point was often unsophisticated, but the actual spread would have been prevented by proper internal segmentation.
What Clean Firewall Architecture Looks Like
- Clear segmentation strategy with defined zones
- Minimal necessary permissions — nothing more
- Structured, documented rule sets
- Complete logging with centralised analysis
- Regular reviews with a defined process
Conclusion
The biggest weakness is rarely the firewall itself — it is its configuration. A structured review of existing rules typically uncovers security gaps, unnecessary complexity and compliance risks within a short timeframe.
Next Step: Targeted Analysis of Your Firewall Rules
A targeted analysis of firewall rules and network segmentation quickly clarifies where real risks exist and what measures are required. A structured firewall review uncovers:
- Any-to-any rules and unnecessary permissions
- Shadow rules, redundancies and dead rules
- Segmentation gaps and compliance risks
