Referencing this forum post here:
https://forum.peplink.com/t/big-surprise-in-balance-security/627e733a7e72a549e1380bee/11
I would like to make the case to have the default action for the Peplink firewall changed from “accept” to “deny”. At a minimum this change should be considered as far as inbound connections are concerned but ideally all of rules lists.
Why?
Firstly I would argue it is poor security hygiene these days to blindly accept traffic in this fashion. In the enterprise world most network administrators will be used to the concept of a firewall being “deny by default” or the concept of the “implicit deny at the bottom of the ACL” which requires them to explicitly configure rules to permit traffic to pass.
A firewall with a default action of “permit any any” is about as much use as a high security lock on your front door with the keys left in it and the door wide open.
It seems there are some users out there who do not notice the default action for their firewall is to accept any connection from any source to any destination, this is generally not a problem as whilst NAT is not a firewall it does for the most part prevent unexpected external access to devices behind their Peplink.
However, in the case of the referenced post the user believed they were securing their network by configuring firewall rules to explicitly permit traffic inbound, however due to incorrectly configuring those rules they were in fact no more secure than they would have been without them as traffic was being allowed in by the default action set to “accept”.
This can also create a false sense of security, as in the above case someone thought they were securing their network when in reality they were absolutely exposing services to the internet that they did not intend to do so in an uncontrolled fashion.
Considerations:
This would be a breaking change potentially for firewalls in the field, either where users have incorrectly configured their rules as in the above example or where people have simply configured no rules because it “just works without them” due to the default action.
Some logic would potentially need to be built into any software upgrades that would not modify configurations of already deployed and configure din the field, but this could become the new default setting going forward.
Further consideration could be made to help guide users to correctly configuring a firewall rule, for example a simple step by step wizard after they have configured a port forwarding rule could help less experienced users leverage the better security of having an appropriately configured firewall.
IPv6
I would like to make this case even stronger for when Peplink starts to support IPv6 natively in their products. By the very nature of IPv6 most users will end up with devices directly connected to the public internet, this is not exactly desired in the vast majority of cases. The default action here should in my eyes absolutely be to drop unsolicited incoming traffic at the firewall.