Key Takeaways
- Firewall rule hygiene degrades over time. A 5-year-old enterprise firewall typically has 30-60% of rules that are unused, redundant, or overly permissive.
- Segmentation prevents lateral movement, the #1 reason ransomware spreads from one infected workstation to encrypting an entire enterprise.
- Egress filtering matters as much as ingress. Most data exfiltration uses HTTPS to common cloud services, block what your business does not need.
- Audit firewalls annually and after any major rule change. A firewall audit by a third party costs INR 1-3 lakh and routinely surfaces critical misconfigurations.
- Zero Trust Network Access (ZTNA) is replacing VPN for remote workforce, every request is authenticated, authorized, and logged regardless of network location.
The Firewall Is Not Dead: It Just Moved
Every few years the cybersecurity industry declares the firewall dead. Each time, it turns out the firewall didn't die, it moved. From the network edge to the host. From the host to the cloud. From IP-based rules to identity-based policies. From a single chokepoint to micro-segmented enforcement at every workload. The firewall in 2026 looks very different from the Cisco PIX of 2006, but the function, controlling traffic flow based on policy, is more important than ever.
Indian enterprises typically run a mix of network firewalls: a perimeter NGFW (Palo Alto, Fortinet, Check Point, Cisco Firepower), internal segmentation firewalls, cloud security groups and NSGs, host-based firewalls, and increasingly ZTNA platforms (Zscaler, Cloudflare Access, Cisco Duo, Tailscale). Each layer adds defense in depth. None of them work properly without governance.
The most common finding in our enterprise network penetration tests is not a zero-day vulnerability, it is a firewall rule that should not exist. A vendor allow-list that includes 0.0.0.0/0. A temporary rule from 2019 still in production. An "any-any" rule between business units that share no application boundary. These are not exotic findings; they are the bread and butter of how breaches escalate from initial foothold to total compromise.
Firewall Rule Hygiene: The Discipline Nobody Maintains
Firewall rule sets are organic, they grow over time, accumulate exceptions, and rarely shrink. A useful exercise: pull your current firewall rule export, and try to identify the business owner and justification for every rule. In our experience, most enterprises cannot account for 30-60% of their rules. Those rules are technical debt that costs you in two ways: they create attack paths, and they slow down the firewall as the rule set grows.
A healthy firewall rule lifecycle includes change control (every new rule has a documented requester, business justification, expiry date), regular audits (quarterly review for high-change environments, annual otherwise), automated detection of shadowed and redundant rules (Tufin, AlgoSec, FireMon, or your NGFW vendor's policy optimizer), and a documented decommissioning process for retired applications.
- Default deny, Every firewall ruleset should end with an explicit deny-all. If yours ends with allow-all, fix it before reading further.
- Specific over generic, Use specific source IPs, destination IPs, and ports. "Any" should appear nowhere in a production rule.
- Application-aware, Modern NGFWs identify applications (Skype, Dropbox, BitTorrent) regardless of port. Use application policy, not port-based rules.
- Time-limited rules, Vendor access, temporary integrations, troubleshooting rules should have automatic expiry.
- Logging on every deny, Denied traffic is your highest-signal log source. Forward it to your SIEM.
Free Firewall Health Check
30-minute call with an OSCP-certified network security consultant. Bring your firewall vendor and rule count; we will outline a sensible audit plan and rough cost.
Schedule Free Call →Network Segmentation: Containing the Blast Radius
When ransomware enters an enterprise network, it spreads. The speed of that spread depends almost entirely on whether the network is segmented. Flat networks, where every workstation can reach every server, where there is one big VLAN for "corporate", let ransomware encrypt thousands of machines in hours. Properly segmented networks let attackers compromise one segment and find themselves walled off from the rest.
Practical segmentation for an Indian enterprise: separate production from development, separate user workstations from servers, separate sensitive data zones (finance, HR, IP) from general business networks, separate IoT and OT from IT, separate vendor and guest networks from internal. Each boundary is enforced by a firewall, physical, virtual, or host-based.
Micro-segmentation goes further: every workload has its own policy, regardless of where it physically sits. Solutions like Illumio, Guardicore, VMware NSX, or cloud-native security groups enforce policy at the workload level. This is the practical realization of zero trust inside your data center.
Egress Filtering: The Defense Nobody Configures
Most enterprises spend significant effort on ingress filtering, what comes into the network, and almost none on egress filtering, what leaves. This asymmetry is exactly backwards from the modern threat model. Attackers establish a foothold (phishing, supply chain, exposed service) and then need to communicate back out: command and control, exfiltration, ransomware key retrieval. Egress filtering disrupts every step.
Practical egress controls: a default-deny outbound policy with explicit allow rules for known business destinations, DNS filtering (Cisco Umbrella, Cloudflare Gateway, Quad9 enterprise) to block newly registered domains and known C2 infrastructure, deep inspection (with appropriate user notification) for HTTPS to non-business categories, blocking of common exfiltration channels like Tor, anonymizers, and unsanctioned cloud storage.
A typical Indian enterprise blocks none of this. The cost of implementing reasonable egress controls is low; the impact on detection-and-response capability is substantial.
Remote Access: From VPN to ZTNA
Traditional VPN gives the remote user network-level access, once authenticated, they are "inside" the network and can reach anything routing allows. This is exactly the wrong model post-COVID. A compromised home workstation should not place an attacker on your internal LAN. Yet most Indian enterprises still rely entirely on traditional VPN.
Zero Trust Network Access (ZTNA) inverts the model: every connection authenticates and authorizes per-application, regardless of whether the user is on the corporate network. The user does not get network access; they get application access. ZTNA platforms (Zscaler Private Access, Cloudflare Access, Cisco Duo Network Gateway, Tailscale, Twingate) replace or wrap traditional VPN and dramatically reduce lateral movement risk.
Migration is incremental, most enterprises run ZTNA for high-risk applications and VPN for legacy ones for 12-18 months before fully cutting over.
Enterprise Network Penetration Testing
External + internal network penetration test by OSCP/OSEP certified consultants. Identifies the actual attack paths an adversary would use from your perimeter to your crown jewels.
Network Pentest Service →Intrusion Prevention, Threat Intel, and Modern NGFW Features
Modern NGFWs come with capabilities that most enterprises license but never enable: intrusion prevention (IPS) signatures, threat intelligence feeds, URL filtering, sandboxing, SSL inspection, user identity integration. Each adds real defense, but they are often left in monitor-only mode "to avoid breaking things," which means they catch nothing.
Enable IPS in blocking mode for known-malicious patterns. Subscribe to your vendor's threat intelligence feed and consume it on the firewall. Implement SSL inspection for outbound traffic on devices that can handle the throughput (this requires careful policy around healthcare, finance, and privacy categories). Integrate firewall identity with Active Directory or your SSO so logs show user, not just IP, for every connection.
Conducting a Firewall Audit
An external firewall audit is one of the highest-ROI security exercises an enterprise can run. For INR 1-3 lakh per device, an external team reviews the rule set, configuration baseline, change control, log integration, and rule effectiveness. Findings are typically dramatic, overly permissive rules, missing log forwarding, weak management plane controls, outdated firmware.
Audit cadence: annually at minimum, after major topology changes (M&A, new data centers, cloud migration), after security incidents. Combine the audit with internal penetration testing from inside and outside the network to validate that the policies actually work in practice, not just on paper.
Frequently Asked Questions
How often should we audit our firewall configuration?
Annually for stable enterprises; semi-annually for environments with frequent change, M&A activity, or compliance obligations (PCI-DSS specifically requires semi-annual reviews). Combine the audit with an external penetration test that validates whether the policies actually hold up under attack.
Is VPN obsolete? Should we move entirely to ZTNA?
VPN is not obsolete but it is no longer the right primary tool. Most Indian enterprises should run ZTNA for new applications and legacy VPN for systems that genuinely require network-level access (some on-prem databases, legacy admin tools). A full cutover takes 12-24 months and is usually driven by VPN license renewal or a security incident.
What is the difference between segmentation and micro-segmentation?
Segmentation divides your network into zones (servers, workstations, IoT, sensitive data) with firewall enforcement between zones, typically 5-20 zones for a mid-size enterprise. Micro-segmentation goes per-workload, every application server has policies controlling exactly which other workloads can reach it. Micro-segmentation is more granular and more effective at preventing lateral movement, but operationally more complex and typically deployed for high-value applications first.
Should we enable SSL inspection on our firewall?
Generally yes for outbound traffic, with carefully designed exclusions for healthcare, financial, legal, and personal banking categories (decryption raises privacy and legal questions). SSL inspection is essential for catching modern malware C2 and data exfiltration, which almost always use HTTPS. Throughput planning matters, inspection roughly halves a firewall's effective throughput, so size accordingly.
How do we secure firewalls themselves?
Treat firewall management as a privileged tier. Dedicated management network, MFA on every admin account, no internet exposure of management interfaces, integration with your central SIEM for configuration change alerts, immutable backup of configurations, separation of duties between rule authors and rule approvers. The firewall is the keys to the network, compromise of the management plane is catastrophic.
Do cloud security groups replace network firewalls?
Partially. Security groups and NSGs are stateful packet filters operating at the workload level, excellent for east-west and ingress control inside cloud, but they do not provide deep inspection, IPS, application identification, or URL filtering. For cloud workloads, layer cloud-native firewalls (AWS Network Firewall, Azure Firewall, Cloud NGFW) on top of security groups for true firewall functionality.
What is the biggest network security mistake you see in Indian enterprises?
Flat internal networks with no segmentation between business units, no enforcement between user and server zones, and minimal egress filtering. A phished workstation in marketing can typically reach the entire production data center on its first hop. Segmentation is unglamorous and quietly prevents the worst category of incident.
Audit Your Network Before an Attacker Does
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. Our OSCP and OSEP certified network team conducts firewall audits, network penetration tests, and segmentation reviews for Indian enterprises. Fixed-price engagements with executive-ready reports.
