Perimeter Defence Audit for Australian SMBs: Firewall, VPN & DMZ Hardening You Can Do This Week

Why Perimeter Defence Still Matters in 2026

The ASD's Essential Eight framework treats network segmentation and patching as foundational controls, and for good reason. In just the last two months, we've seen a critical zero-day in Check Point VPN gateways exploited by Qilin ransomware affiliates since early May, back-to-back exploitation waves targeting a Palo Alto PAN-OS GlobalProtect authentication bypass, and new malware identified by ASD, CISA, and NCSC targeting Cisco Firepower and Secure Firewall products. Every one of these attack chains starts at the perimeter.

NIST SP 800-41 (Revision 1) provides the authoritative guidance on firewall and network boundary security, and its core message holds firm: a firewall policy is only as strong as the rule set behind it. For Australian SMBs, the gap between "we have a firewall" and "our perimeter is actually defensible" is where attackers live.

1. Firewall Rule Cleanup: The 80% Problem

Most SMB firewalls we audit have between 150 and 400 active rules. Roughly 30-40% of those are either redundant, overly permissive, or completely obsolete — left over from a long-departed vendor, a temporary project, or a default configuration nobody changed.

Common misconfigurations we see weekly:

• Any/Any rules — source "any," destination "any," service "any." These are usually created under time pressure and never revisited. Every one is a wide-open door.
• Unused objects — IP address objects referencing servers that were decommissioned years ago but whose rules were never removed.
• Shadowed rules — a broad rule higher up the list makes a more specific rule below it completely ineffective, and nobody notices because "it works."
• Default management access — firewall admin interfaces reachable from the public internet on standard ports (443, 22).

The quick-win firewall rule audit checklist:

1. Export your full rule set to CSV (FortiGate: diagnose firewall iprope lookup, or via the GUI policy table export).
2. Sort by hit count — zero-hit rules are your first candidates for removal.
3. Flag every rule with source "any" or service "any" and document a business justification for each.
4. Search for rules referencing port 3389 (RDP) or 22 (SSH) exposed to the internet — these should not exist. Use a VPN instead.
5. Disable (don't delete yet) unused rules for 14 days. If nobody complains, remove them and their associated objects.
6. Implement a change-management process: every new rule needs a ticket, an expiry date, and an owner.

Tools and cost:

• Fortinet FortiGate 40F (NGFW with intrusion prevention, web filtering, and SSL inspection): ~$900 AUD for the appliance plus ~$700/year for the UTP bundle. Suitable for 10-40 users.
• pfSense CE (open source on your own hardware): $0 licensing, runs on a $300-$600 mini-PC (e.g., Netgate or a Protectli vault). Community edition gives you stateful firewalling, VLANs, and OpenVPN/WireGuard for free.
• FortiAnalyzer or pfSense with ntopng for traffic visibility and rule-hit reporting.

2. VPN Hardening: Close the Back Door Before Attackers Find It

Remote access VPN is the most exploited perimeter component in 2026. The Check Point and Palo Alto zero-days are just the latest in a relentless pattern. If your VPN gateway is exposed to the internet — and it has to be — then it needs to be the most hardened system in your environment.

Immediate VPN posture checks:

1. Is your VPN firmware current? Check against the vendor's security advisory page right now. Fortinet publishes FortiGuard PSIRT advisories; Palo Alto has their PAN-OS advisory feed; Check Point maintains their security alerts portal. If you're more than one major version behind, you are likely vulnerable to a known CVE.
2. Enforce MFA on every VPN connection. Not just administrators — every user, every session. FortiGate supports FortiToken (free for up to 5 tokens, ~$130/token beyond that). pfSense integrates with TOTP via plugins. If your current VPN doesn't support MFA natively, put a Cloudflare Access or Tailscale layer in front.
3. Restrict VPN user access by group. No VPN user should reach your entire internal network. Bind users to VLAN-specific access policies — accounting reaches the finance VLAN, developers reach the dev segment, nobody reaches the server management VLAN over VPN.
4. Kill split tunelling for unmanaged devices. If users connect personal devices, disable split tunneling so all traffic routes through the corporate gateway where your firewall and DNS filtering apply.
5. Set aggressive session timeouts. Maximum 8 hours for full-tunnel, 30 minutes idle timeout. Re-authentication after timeout, not silent reconnection.

Modern VPN alternatives worth evaluating:

• Tailscale (WireGuard-based mesh VPN): Free for up to 100 devices. Zero open inbound ports — connections are outbound-only and authenticated via SSO. Extraordinarily effective at eliminating the traditional VPN attack surface entirely. Business plans start at ~$8 AUD/user/month.
• Cloudflare Tunnel: Free tier available. Creates an outbound tunnel from your network to Cloudflare's edge — no inbound ports required. Pair with Cloudflare Access (free for up to 50 users) for identity-based access control with SSO and MFA. Particularly strong for exposing internal web apps without punching holes in your firewall.

3. DMZ Architecture: Stop Putting Your Web Server on the Flat Network

Any service that faces the internet — web servers, email relays, remote desktop gateways, API endpoints — belongs in a DMZ, not on the same network segment as your file servers and domain controllers. NIST SP 800-41 is explicit about this: traffic between zones of different trust levels must traverse a firewall enforcing explicit policy.

What a proper SMB DMZ looks like:

• A dedicated VLAN or physical segment separated by firewall rules from both the internet (untrusted) and the LAN (trusted).
• Inbound traffic from the internet terminates in the DMZ. The DMZ host cannot initiate connections back to the internal LAN.
• Internal LAN can reach the DMZ for management over specific ports only, from specific admin IPs only.
• DMZ hosts run minimal services — no domain-joined Windows servers in the DMZ unless absolutely necessary, and if they are, they're in a separate AD forest or workgroup.

This maps directly to Essential Eight maturity. The ACSC's network segmentation control (part of the "Restricting Microsoft Office Macros" and broader application control strategies) expects that compromised public-facing services cannot pivot laterally to internal systems. A flat network means one compromised web server becomes ransomware on every desktop. A DMZ means the blast radius stays in the DMZ.

Cost reality: You don't need a third firewall to build a DMZ. A FortiGate or pfSense box with three interfaces (WAN, LAN, DMZ) handles it natively. The only additional cost is a managed switch with VLAN support (~$200-$500 for a business-grade 24-port unit).

FAQ

Conclusion

Your perimeter is under active attack. The CVEs hitting Cisco, Check Point, and Palo Alto this month are not theoretical — they're being weaponised by ransomware crews right now. The good news is that the highest-impact fixes are straightforward: clean up your firewall rules, enforce MFA on VPN, and segment your public-facing services into a DMZ. None of these require a six-figure budget or a months-long project. They require one focused day and between $500 and $5,000 in tooling.

Start with the firewall rule audit this afternoon. Check your VPN firmware version before you go home. Sketch out your DMZ VLAN by Friday.

Visit consult.lil.business for a free cybersecurity assessment and find out exactly where your perimeter stands.

References

1. ASD ACSC Alerts — Current Security Alerts and Vulnerabilities
2. NIST SP 800-41 Rev. 1 — Guidelines on Firewalls and Firewall Policy
3. CISA — Known Exploited Vulnerabilities Catalog
4. Fortinet PSIRT — Product Security Incident Response Team Advisories
5. Palo Alto Security Advisories — PAN-OS Vulnerabilities