Almost all organizations cyber- defensive begins with a firewall.
Too many companies see the firewall as the ultimate protection for their network. But the firewall on its own should not be the only defense. Think of your network as a house. A house does not have a single entrance it has many doors and windows.
As a security professional you know that a firewall on its own is not enough but it still an important factor for ensuring you have a secure network. Yes your firewall is critical to your network protection but you have to support it with other tools and keep it well maintained.
The first step when assessing your network vulnerability is a pen test starting with your DMZ then working back to each segment of your network, the reason we start at the DMZ is the firewall. Your firewall is so vital to the security of the network, that to assume it is fine is to put your entire company’s security at risk.
Keep in mind that no matter what you do, no firewall and I mean none will protect against everything the cyber-criminals are going to throw at you. For example a zero-day coup targeted at your services from the internet.
The DMZ firewall, if it is configured correctly and preventative maintenance is done religiously, narrows down the actions an attacker can do. In addition using a secondary layer with a zero attack surface by implementing a pull rather than a push environment narrows those actions a hacker can take against a firewall into the LAN to virtually non-existent.
These systems should be used to control network traffic leaving the network as well.
Another area to be on top of is firewall-based VPN tunneling services. Again it is imperative to evaluate and re-evaluate all associated policies and configurations. If you pen test this area next time you are doing a network assessment, it will provide you with valuable information that will help you to protect targeted hosts.
Remember to keep in mind; as technical people we should not see the firewall as the end-all-and-be-all. We must always ensure that this critical part of our security is supported with the best tools/systems/staff and is well maintained.