Security beyond the firewall

Firewall appliances are seen as the cornerstone of network defence - trusted to keep threat actors at bay and shield internal systems from external compromise. But recent events have exposed a dangerous over-reliance on these devices. Not least because ransomware groups like Akira are increasingly targeting them with precision and persistence.

The SonicWall wake-up call

In July and August 2025, the cybersecurity community saw a surge in ransomware incidents linked to SonicWall Generation 7 firewalls with Secure Sockets Layer (SSL) Virtual Private Network (VPN) enabled. The Akira ransomware group, known for its aggressive tactics and rapid encryption, was observed exploiting a known vulnerability - even on devices that had been patched and protected by multi-factor authentication (MFA).

The problem with perimeter thinking

The SonicWall incidents highlight a broader issue. Firewalls are not infallible, and relying solely on them as your primary defense strategy could be a significant strategic error. Vendors often respond quickly to vulnerabilities with patches and advisories. But that still leaves a window of vulnerability, between discovery and remediation, for attackers to exploit - particularly when zero-day flaws are involved.

What’s more, even hardened appliances can be undermined by things like misconfigured access controls, overlooked legacy accounts, or user behaviour. It’s no longer tenable to assume that your systems are safe just because your firewall has been patched.

A layered defence strategy

To reduce your exposure to the risk of ransomware - even if your firewall or VPN becomes compromised - you need to adopt a defence-in-depth approach. 

Here’s what that looks like:

1. Limit VPN exposure

Restrict access to trusted IP ranges
Disable unused or legacy VPN accounts
Monitor for unusual behaviour such as logins from data centres or hosting providers.
 
2. Enhance endpoint visibility

Deploy Endpoint Detection and Response (EDR)/Managed Detection and Response (MDR) solutions to detect post-compromise activity
These products not only detect static threats but also alert on suspicious behaviour - this matters because threat actors often use tooling that traditional antivirus solutions won’t detect.
 
3. Improve logging and retention

Ensure firewall and endpoint logs are retained - this will aid analysis should an incident occur
Enable alerting for suspicious VPN activity and credential changes.
 
4. Backup and recovery

Maintain secure, off-site backups
Test recovery procedures regularly to ensure resilience.
 
5. User awareness and role-based access

Train users on phishing and credential hygiene
Enforce ‘least privilege’ access across all systems.

Conclusion

The Akira ransomware campaign provides a stark reminder that security needs to be proactive, not reactive. Firewalls are essential; but they’re just one layer in a much broader strategy. To stay safe, you need to prepare for the possibility that even your most trusted defences could fail - and make sure that if they do, the damage will be contained.

If your business relies heavily on firewall appliances, now is the time to reassess your posture. Ask yourself, ‘What happens if this device is breached?’ If the answer is ‘We’re not sure,’ then it’s time to build a more resilient security architecture.

Contact our team today at enquiries.uk@solissecurity.com to discuss how we can protect your business.