Most Australian SMBs treat their firewall as a set-and-forget appliance. That box sitting in the corner of the server room has likely accumulated years of permissive rules, stale VPN accounts, and misconfigured zones — and attackers know this. A perimeter defence audit doesn't require a six-figure consultancy engagement. The bulk of it you can complete this week with the right checklist.
TL;DR
Your perimeter security posture is only as strong as the rules actively enforced. Audit your firewall rules this week: remove "ANY-ANY" permissive rules, segment your network into trusted and DMZ zones, harden VPN access with MFA and posture checks, and replace legacy port-forwarding with zero-trust tunnels. Budget $500–$5,000 depending on whether you use open-source (pfSense), mid-tier (FortiGate 40F/60F), or cloud-native (Cloudflare Tunnel + Tailscale). The ASD Essential Eight mandates application control and macro restriction at Maturity Level 1 — start with your border.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
The "Set-and-Forget" Problem: Why Your Firewall Is Weaker Than You Think
Every firewall starts with a clean ruleset. Over months and years, well-meaning IT staff — or the MSP who set up your office — add temporary rules that never get removed: a developer's RDP access from 2019, a vendor's SSH tunnel for a project that finished in 2021, a wide-open outbound rule added during a VoIP troubleshooting session. This is firewall rule rot, and it's the single most common perimeter vulnerability we find in SMB audits.
Free Resource
Free Essential Eight Checklist
Know exactly where your business sits against the ACSC Essential Eight. A practical self-assessment checklist for SMBs.
Download Free Checklist →A 2025 ACSC survey of 1,200 Australian small businesses found that 68% had not reviewed their firewall rules in the past 12 months. Of those, 41% had at least one rule allowing unrestricted inbound access from the internet on a non-standard port.
What you can audit today:
- Log into your firewall's management interface — FortiGate, pfSense, Sophos, MikroTik, whatever you run
- Export the full ruleset as CSV or take screenshots of every rule table
- For each rule, ask: who needs this? when was it last hit? can I tighten the source IP or port?
- Delete any rule you can't trace to a current business need. If you're nervous, disable it first and monitor for complaints over 48 hours
Quick-Win Firewall Audit Checklist
| Step | Action | Time |
|---|---|---|
| 1 | Export current ruleset | 5 min |
| 2 | Flag all ANY-source inbound rules | 10 min |
| 3 | Flag rules with no logging enabled | 5 min |
| 4 | Disable 5 oldest unused rules | 15 min |
| 5 | Enable logging on remaining inbound rules | 10 min |
| 6 | Schedule monthly rule review recurrence | 5 min |
Total: under one hour. Do it now.
VPN Hardening: Your Remote Access Is Likely the Weak Link
The pandemic normalised permanent remote access — and many SMBs still run the same VPN config they threw together in March 2020. Here's what's likely wrong:
Misconfigurations we see in every audit:
- Split tunnelling disabled — all employee traffic (including YouTube and malware-laden personal browsing) routed through the corporate network
- No MFA on VPN — username and password only, often the same credentials as their email
- Unpatched VPN appliances — critical CVEs for FortiOS SSL-VPN (CVE-2024-21762, CVSS 9.8) and Pulse Secure were actively exploited in Australia throughout 2024–2025
- Overly broad access — VPN users dropped onto the internal LAN with no segmentation, meaning a compromised laptop gives an attacker access to your entire file server
Fix it this week:
- Enable MFA — Every major firewall platform supports it. FortiGate has free FortiToken Mobile (two tokens included with most licences). pfSense integrates with FreeRADIUS + Google Authenticator at zero cost.
- Implement posture checks — FortiGate endpoint compliance can block devices without specific certificates or registry keys before they connect. Even a basic check (is endpoint protection running?) cuts your attack surface dramatically.
- Segment VPN traffic — Create a dedicated VLAN for VPN users with firewall rules that only allow access to specific services (RDP to their workstation, file shares on the NAS, nothing else). This aligns with ASD Essential Eight Maturity Level 2, which requires network segmentation.
For businesses ready to move beyond traditional VPN entirely, Tailscale ($6/user/month for the Business plan) and Cloudflare Tunnel (free tier available, Teams plan from $7/user/month) replace legacy VPNs with zero-trust, WireGuard-based connectivity. No open ports. No public IP needed. Every connection authenticated per-session.
DMZ Architecture: You Need One, Even as a 10-Person Shop
The DMZ (demilitarised zone) sounds like enterprise territory, but the concept scales down cleanly: separate anything that faces the internet from anything that holds your data. If you host a public website, a customer portal, or even just a mail server, it should not sit on the same subnet as your HR files and accounting database.
Three-interface model for SMBs (NIST SP 800-41 pattern):
INTERNET → WAN interface (block all inbound except explicitly needed ports)
↓
DMZ (public-facing servers: web, mail relay, customer portal)
↓
LAN (workstations, file servers, internal apps — no direct internet inbound)How to build it with $500–$5,000:
| Tier | Solution | Cost (AUD) | Best For |
|---|---|---|---|
| Budget | pfSense on repurposed hardware | $0–$500 | 1–10 staff, tech-savvy owner |
| Mid-range | FortiGate 40F + 1-year UTP | $800–$1,200 | 5–25 staff, managed by MSP |
| Growth | FortiGate 60F + 3-year UTP + FortiAnalyzer Cloud | $2,500–$5,000 | 20–100 staff, compliance required |
| Cloud-native | Cloudflare Tunnel + Access + WAF | $0–$250/month | No on-prem servers, all SaaS |
For the pfSense route: A Protectli Vault or a decommissioned Dell OptiPlex with a dual-NIC Intel card gives you enterprise-grade firewall features at commodity hardware prices. pfSense's wizard sets up WAN/LAN/DMZ interfaces in under 15 minutes.
Common DMZ mistake: Allowing DMZ-to-LAN traffic on the firewall. Your DMZ hosts should never initiate connections to your internal network. If the web server needs database access, place the database on a separate "services" VLAN, not your office LAN. If that sounds complex, start simpler: put the web server in the DMZ, connect it to a cloud database (or a second DMZ host), and keep your office LAN completely isolated.
Essential Eight Assessment Kit — $47
Templates, gap analysis worksheets, and maturity level scorecards built specifically for SMBs. Audit-ready documentation in hours, not weeks.
Get the Assessment Kit →ASD Essential Eight Maturity Levels Applied to Perimeter Defence
The Essential Eight maps directly to firewall and perimeter controls. Here's what each maturity level demands at the border:
Maturity Level 1 (bare minimum, required for all government contractors):
- Application control implemented on workstations (gateway-level app control via NGFW satisfies this)
- User application hardening — block web browsers from processing Java, Flash, and web advertisements
- Restrict administrative privileges
Maturity Level 2 (recommended for SMBs handling sensitive data):
- All of Level 1, plus:
- Network segmentation between user groups and critical servers
- Multi-factor authentication for all remote access (VPN, RDP, cloud admin consoles)
- Application control with an approved allow list, not just block lists
Maturity Level 3 (regulated industries, high-value targets):
- All of Level 2, plus:
- Full application allow-listing with Microsoft WDAC or AppLocker
- Centralised logging with near-real-time alerting
- Regular independent penetration testing
Most SMBs should target Level 2 as their operational baseline. It's achievable with the hardware budgets listed above and — critically — the discipline to maintain the rules once they're in place.
FAQ
Q: We're a 5-person law firm. Do we really need a DMZ? A: If you host anything accessible from the internet — a client portal, remote desktop gateway, or even a Synology NAS with remote access — yes. The DMZ prevents an attacker who compromises your public-facing service from pivoting directly to client files. A $200 managed switch and VLAN configuration achieve this without additional hardware.
Q: Our MSP handles the firewall. How do I know they're doing it right? A: Ask for the current ruleset export and a list of active VPN users with MFA status. If they can't provide both within 24 hours, your perimeter posture is unknown and you should commission an independent audit. MSP-managed firewalls are convenient but often accumulate the most rule rot because no single person owns the review process.
Q: Cloudflare Tunnel vs traditional VPN — which should we pick? A: If your staff only need access to internal web applications (dashboards, CRMs, file portals), Cloudflare Tunnel + Access eliminates the VPN entirely and is more secure. If you need full network-layer access (RDP to desktops, access to legacy thick-client apps), Tailscale is the simplest zero-trust alternative. Traditional VPNs (FortiClient, OpenVPN) still work but demand active hardening — MFA, segmentation, and regular patching are non-negotiable.
Conclusion
Perimeter security isn't about buying the most expensive appliance — it's about actively managing what you already have. Audit your firewall rules this afternoon. Enable VPN MFA by end of week. Sketch a DMZ diagram on a whiteboard and pick one public-facing service to isolate. These three actions, completed before Friday, put you ahead of the majority of Australian SMBs and align your perimeter with Essential Eight Maturity Level 1–2.
If you're unsure where to start, schedule a free cybersecurity posture assessment at consult.lil.business. We'll review your current firewall config, VPN setup, and network segmentation — and give you a prioritised remediation plan you can execute immediately.
References
- ASD Essential Eight Maturity Model – Australian Cyber Security Centre
- NIST SP 800-41 Rev. 1: Guidelines on Firewalls and Firewall Policy
- Fortinet FortiGate Next-Generation Firewalls for Small Business
- CVE-2024-21762 – FortiOS SSL-VPN Out-of-Bounds Write Vulnerability (CVSS 9.8)
- Tailscale Business: Zero-Trust Network Access for Teams
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.