Security assessment programmes that comprehensively cover web applications, cloud infrastructure, and endpoints while treating network perimeter devices as outside scope are systematically missing the category of asset that attackers target most frequently. Firewalls, VPN gateways, load balancers, and network authentication proxies are not “set and forget” infrastructure — they are complex software stacks with significant vulnerability histories that require the same assessment discipline applied to other critical systems.
The assessment challenge for perimeter devices is that their criticality to production operations makes invasive testing risky. This methodology focuses on non-disruptive assessment techniques that provide meaningful security assurance without requiring production downtime.
Phase 1: Asset Discovery and Inventory
Before assessing, confirm you have a complete inventory of perimeter devices:
- All internet-facing firewall appliances (including cloud-based and virtual)
- VPN concentrators and remote access gateways
- Load balancers and application delivery controllers (ADCs)
- Reverse proxies and WAF appliances
- Out-of-band management systems (OOBM, iLO, iDRAC for network device management switches)
- Network Time Protocol servers and DNS resolvers in the perimeter DMZ
For each device, record:
- Vendor and model
- Operating system / firmware version (running, not just installed)
- Management interface IPs and accessible protocols (HTTPS, SSH, SNMP, Telnet)
- Date of last firmware update and last full configuration review
Phase 2: Firmware and Patch Level Assessment
For each device in inventory:
1. Identify the running firmware/OS version:
Palo Alto: admin@firewall> show system info | match sw-version
Fortinet: get system status | grep Firmware
Check Point: fw ver -k
Cisco ASA: show version | include Cisco2. Cross-reference against vendor security bulletins:
- Palo Alto: security.paloaltonetworks.com/advisories
- Fortinet: fortiguard.com/psirt
- Check Point: support.checkpoint.com
- Cisco: tools.cisco.com/security/center/publicationListing.x
3. Identify critical and high severity vulnerabilities for the running version: Focus on:
- Pre-authentication vulnerabilities (attack vector: network, privileges required: none)
- CVSS ≥ 7.0 vulnerabilities affecting the VPN daemon or authentication subsystem
- Any vulnerability in the CISA KEV catalogue for this vendor/product
4. Check CISA KEV for this platform: Cross-reference vendor + product against the CISA KEV JSON feed. A perimeter device running a firmware version affected by a KEV-listed vulnerability is an emergency remediation priority regardless of other findings.
Phase 3: Configuration Review
Management interface exposure: From an external IP (or a cloud instance acting as an external vantage point), verify that management interfaces are not accessible:
# Check for accessible management ports
nmap -p 22,23,80,443,8443,4443,4444 <device-management-IP>
# Should return filtered/closed for all ports from external perspectiveAny management port that responds from external IP is a critical finding. Management interfaces must be restricted to internal management networks.
Protocols enabled: Review the device configuration for:
- Legacy protocols enabled: SSL 3.0, TLS 1.0, TLS 1.1, IKEv1, SNMP v1/v2
- Authentication methods: local user database with weak password policies, unauthenticated SNMP communities
- Unused features: clientless SSL VPN if not required, Telnet, HTTP management
Administrative account review:
- List all local administrative accounts — any account not associated with a current staff member is stale and should be removed
- Verify that administrator authentication requires MFA (for RADIUS-based management authentication or VPN vendor MFA integration)
- Confirm no accounts use default vendor credentials
Firewall rule review: Review the firewall policy for:
- Rules with “any” source accessing management interfaces
- Rules permitting traffic to or from the management VLAN from untrusted zones
- Rules that have not been used in the past 90 days (identify via hit counter logs) — candidates for removal
Phase 4: Log Review for Exploitation Indicators
Review the last 30 days of appliance authentication and access logs for:
- Failed authentication attempts against the management interface from external IPs (brute force indicators)
- Successful management interface authentications from unexpected source IPs or geographic locations
- Configuration changes that do not correlate with approved change management records
- Unexpected outbound connections from the appliance management IP to internet destinations
For VPN gateways specifically:
- Authentication log anomalies: user accounts that have never successfully authenticated, repeated failure patterns
- VPN connection events from IP addresses or geographic locations inconsistent with the organisation’s user population
Phase 5: Reporting and Prioritisation
Findings from perimeter device assessments should be prioritised using:
| Finding | Priority | Typical SLA |
|---|---|---|
| KEV-listed vulnerability, unpatched | Critical | 24–72 hours |
| CVSS ≥ 9.0 vulnerability, unpatched | Critical | 72 hours |
| Management interface accessible externally | Critical | 24 hours |
| Legacy protocol (SSLv3, TLS 1.0) enabled | High | 2 weeks |
| Stale admin accounts | High | 1 week |
| CVSS 7.0–8.9 vulnerability, unpatched | High | 2 weeks |
| Unused firewall rules | Medium | Next maintenance window |
Perimeter device security assessments should be conducted quarterly, with an additional ad-hoc assessment immediately following any Critical CVE disclosure for the platform in use.
Share this article