Firewalls and Anti-Virus Aren't Dead - Should They Be?

Friday, May 04, 2012

Beau Woods


Over the last several years, firewalls and anti-virus have been losing effectiveness. Many in the information security community have recognized this.

Unfortunately many of the business and operations people haven't.

The threats that these technologies (tools to assist in a solution, not the solution themselves) were designed to solve have changed. That's not to say that they do nothing - they can still be useful - but your organization needs to know what they're meant to counter and how to use them properly.

I was inspired to finally write this down by a story Wendy Nather contributed to Infosec Island, entitled Why We Still Need Firewalls and AV. While I agree with her general premise, I think the article doesn't get to the real heart of the issue.

When firewalls and anti-virus were all we had and effectively countered the threats we faced, they tended to be used more as they were designed. But now, firewalls and anti-virus don't counter the majority of the threats and aren't used very well.

Firewalls were invented a couple of decades ago to keep Internet-borne threats out. The firewall has its roots in the early 1990s, a time when commerce was prohibited on the Internet and most companies didn't have any presence there. As computer networking grew in popularity, connecting to the Internet was a way to share information across organizations, as well as internally.

However, within a decade, Internet attacks were prevalent and organizations needed a way to protect the devices on their network. The firewall was popularized as a way to enforce a hard separation between the outside and the inside.

The major advantage to this approach was that it was much cheaper than securing every single device. And at the time just as effective, since most devices had no need to communicate over the Internet and so a small set of connections were allowed to pass through the firewall.

The Internet landscape has changed drastically since then. And with it, the Internet threats. Modern business processes are highly dependent upon and thoroughly integrated with the Internet. Organizations invite masses of Internet devices into their network to deliver web pages, email content, support mobile devices and dozens of other reasons.

At the same time, devices within the network routinely initiate communications to the Internet and pass data back and forth. Firewalls have gotten better, but they simply can't handle the new ways in which organizations work on the Internet, nor the more sophisticated threats. They still have a use as a tool to protect networks, but more tools are needed.

Similarly, anti-virus was first developed to detect, prevent and remove individual viruses. These software packages were simplistic, identifying malicious programs and files by looking for indicators or "signatures" that were unique to each virus. This was, again, before the Internet was widely used and most virus transmission was very slow.

The anti-virus industry was easily able to keep up with new viruses and forms of existing viruses. This was a time when the number of specimens was very small and they didn't change very often. Updating the signatures was a task done once a year or so, and in fact when the subscription-based licensing model for anti-virus was initially launched it was widely viewed as somewhat of a betrayal of trust - paying continually for the same software. It was a different time.

But today's situation is vastly different from what anti-virus was designed to deal with. Because of the proliferation of Internet connectivity, malicious software spreads very quickly. Instead of taking months to spread to thousands of systems, it takes seconds to spread to millions. And the malware itself has become much better at avoiding detection, taking steps to hide its signature.

Most viruses today are obfuscated a number of times and checked to make sure no anti-virus software can detect it - all in a matter of seconds, and all before it's sent out to its victim. And viruses are often created and distributed in such a way that anti-virus vendors don't get a copy before the malicious software finds its victim.

And when it does infect a device, it frequently disables any anti-virus software and hides in such a way that it can't be detected except by sophisticated, usually manual techniques. Anti-virus software largely still relies on signature based detection, which is increasingly growing ineffective and often slows down system performance.

Further decreasing the effectiveness of firewalls and anti-virus in organizations is the way they're used. Because of the massive number of connections in and out of a network, definitions of what is and is not allowed and exactly how to allow or deny network connections have become a sprawling mess.

And underneath all this complexity, many organizations don't even do the basics right - properly configuring and managing these tools. And administering anti-virus often means running daily reports of issues and sending a technician onsite to manually investigate what's gone wrong. Firewalls and anti-virus cost many organizations millions of dollars a year and are failing to do what they should.

So why should we keep these things around? In the case of firewalls, they do exactly what they are supposed to do and do it quite well. Organizations just need to get smarter about using them. That means limiting firewalls' purpose to what they do well and handing off other duties to other tools. In addition, organizations need to make sure they have a good firewall management program - even small organizations.

And anti-virus should be re-understood as a broader concept of endpoint protection. This includes securing configurations and access, restricting software to that which is known to be safe and putting tools in place to detect anomalous behavior. Anti-virus software packages can help fulfill the last piece - telling systems administrators that a known threat has been detected or that suspicious activity has been happening.

But one thing I think we as security professionals should be advocating is reducing the amount of money and resources spent on these technologies. Instead, shift to more effective ways to secure an organization.

For example, by providing better training to IT staff for using with the existing tools and technologies. Or improving security awareness programs so that viruses (not to mention many other types of attacks) are less likely to be effective.

In the end, this will allow an organization to maintain the same level of security at a lower cost or to increase security at the same cost.

Cross-posted from Beau's Cybersecurity Blog

Possibly Related Articles:
Information Security
Firewalls Antivirus Software malware internet Network Security Information Security Connectivity Security Solution vendors
Post Rating I Like this!
Ian Tibble Fair points. With firewalls the devil is in the details though. Its true firewalls can't block every attack, but what sort of attacks are we talking about? We're talking mostly about the type of attacks we're seeing now which exploit basic failures of due diligence (e.g. password re-use, patches not deployed, weak passwords, and so on). If we do two things, the second of which is no small task but highly effective, we see firewalls in an entirely different light.
- Low hanging fruit problems as described before - at least lets give these some consideration and mitigate as many as possible
- Network architecture, consideration of data flows, segmentation. Think about what hackers (or in the case of google...malware) will "see" when port scanning from different subnets, and also packet sniffing.

If a network is a border choke point and a flat private network, you're in trouble, and the border firewall "gets the blame" for "letting through" the attack. Segmentation with well-thought out rule sets...with firewalls or routers and NAC...suddenly, as long as we don't do stupid stuff such as weak passwords and so on, we see the firewall is adding a huge chunk of time on the bad guy's schedule.

If the reader hasn't read this book, please give it a glance over (and no I have nothing financially to gain from sales of this book): "Building Internet Firewalls", O'Reilly. And also TCP/IP Illustrated volume 1 and 2.

Anti Virus ... another book by a McAfee guy (!!) on how bad anti-virus is (and other products - again, I have nothing financially to gain from sales of this book): John Viega's "The Myths Of Security".

Looking at the two: firewalls were designed to accept or deny packets based on source and destination address and service. This is what they do. Anti-virus in most cases does not do what it was designed to do...not even close. Of course that doesn't mean we ditch anti-virus.

Firewalls, in terms of effectiveness - the major league of security controls. Anti-virus is way down the ladder in comparison. With firewalls though, someone in the organisation, whether it's IT ops or IT sec doesn't matter, has to learn the details and familiarize themselves with technical risks and their own network and applications.

Michael Johnson Some excellent points here. First off, anti-malware and firewalls are pretty much essential to every network, but they're only essentials. From that, we can either meticulously implement security in depth, or do a risk/threat assessment and tailor security to that.

It seems the main problem you've highlighted is one of adapting security to match current threats. Luckily there are solutions for this, and three that come to mind are:
* Maintaining commercial and situational awareness, as a huge amount of intelligence can be gathered from public sources, even enough to give us a rough idea of what the threats are and how they operate.
* Honeypots can be used for gathering intelligence on the threats to a specific network, perhaps indicating the methods and frequency of the attacks.
* Heuristic anti-malware is an option, but deploying it on an enterprise network could be a gamble.
Marc Quibell Firewalls and AV are def. not dead. AV is and has always been heuristic, it's a lot more versatile than you think, though I can see where folks see AV as signature-based only, because that's all they see is 'signature' updates. What do you think all those engine updates do? HIPS is really where it's at today, and HIPS includes AV.

Firewalls still have great uses for creating DMZ's and security zones, not to mention strong mitigation against attacks not related to the open ports, recon scans, logging and tracking..firewalls are still at the top of a layered defense model.

More on heuristic AV:
Beau Woods I'd say you're right in that most A/V vendors have pushed towards an endpoint protection strategy. But I've seen the next-generation type of endpoint protection tools and they're miles ahead of anything else on the market. I'm currently under NDA so can't provide details, but can say that what I've seen is a different direction than most A/V vendors are currently going. Why? It's a business model that doesn't play well with their own.

You're mistaken about antivirus heuristics. They haven't always been built into the A/V products. Many companies (including ESET) claim to have invented the first heuristics engine, but they all say it was created after they started making a signature-based product. And even modern heuristics in AV is based on signatures - from the paper you cited, "Heuristic analysis uses a rule-based approach to diagnosing a potentially-offending file (or message, in the case of spam analysis)." So the effectiveness of the heuristics is only as good as the rules in place. The problem with that is it's hard to distinguish a lot of the modern viruses from legitimate programs. There are some AV engines, for example, that will happily allow malware to run, as long as you name the file OUTLOOK.EXE. I know because I've used that trick many times in Pentests. That's dumb heuristics and could easily be strengthened by using file hashing to uniquely identify the real OUTLOOK.EXE program from fakes.

But I definitely agree that firewalls are still strong tools to use, as long as they're used the right way. Hopefully that message came across by the end of the story.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.