My friend Alan Shimel has been attempting to put together a podcast debate between me and Roger Grimes who penned a controversial piece at InfoWorld titled “Why You Don’t Need a Firewall.”
I was looking forward to this debate because I wanted to slip in the line “ain’t nuth’n dead until I say it is dead”, but that is going to have to wait until another time. Meanwhile Alan went ahead and posted.
This concept that firewalls do not provide value had its first incarnation in de-perimeterization as promulgated by the Jericho Forum. The general idea is that because network security is so hard we should give up and focus on securing all the endpoints and the data that travels between them.
But in reality we have to defend four separate domains – network, endpoint, data, and applications. I am a great believer in de-coupling the management and defense of these four domains. I even coined my three laws of simple security to reflect this.
1. A secure network assumes the hosts are hostile
2. A secure host assumes the network is hostile
3. A secure application assumes the user is hostile
Networks need firewalls the way cars need brakes. Sure there are still auto accidents and we can postulate a future of autonomously piloted vehicles but for now brakes are required on all vehicles.
To address the perceived issues with firewalls there are three suggestions I would make. Firewalls are policy driven. The administrator defines exact rules for what is and what is not allowed to pass. Like all control systems the danger comes from mis-configuration, so the greatest enhancement to firewall security comes from reducing the risk of mis-configuration.
In the early days of firewalls it was common practice to put multiple firewalls from separate vendors inline to ensure that a vulnerability or mis-configuration in one would be caught and blocked by another. The trouble with this idea is that for every new management interface you introduce you double the complexity of and cost of training, managing, auditing, and controlling.
Best practice is to standardize on a single firewall platform for your entire infrastructure. This means that you have to choose a vendor with a range of products that meet your needs from your data center down to your remote offices.
Just as firewall management introduces complexity so does having numerous inline security devices to perform other functions like malware detection, intrusion prevention (IPS), content URL inspection, access control, and application control. Consolidation is the biggest driver in the network security space today as demonstrated by the rapid growth of multi-function firewalls variously called UTM or NGFW.
Vendors like Fortinet, Check Point, Palo Alto Networks, Sonicwall (Dell), and Watchguard, have all profited tremendously from this trend and it explains why Cisco and Juniper, who are blind to the trend, have fallen off the cliff in network security.
Firewall infrastructures have matured over the last fifteen years. In the United States alone there are over 3,000 enterprises with over 200 firewalls they have to manage or outsource. As networks, applications, users, and devices proliferate the firewall rule sets have grown in proportion. In the late ’90s when I still did firewall audits I would pour through firewall configurations that included only a couple of hundred rules.
Today I talk to administrators that have over 20,000 rules in a single firewall! The need to manage firewall policies has given rise to an industry of separate management tools. They can audit a firewall, report on unused policies, even simulate the effect of a change to the policies. They integrate with change control solutions like BMC Remedy and generate diagnostic reports that exceed the native capability of the firewall product.
Listen to Reuven to get up to speed on the state of the art in policy management.
Firewalls are an indispensable component of network security. Any report of their demise is premature. They are alive and well and growing dramatically in capability. Only through standardization, consolidation, and management will the enterprise be able to reduce complexity and cost while increasing security.