Six years ago I wrote, “Firewalls need to go away. I'm just saying what we all already know. Firewalls have always been problematic, and today there is almost no reason to have one.” Firewalls were—and still are—no longer effective against modern attacks.
Recently, someone asked me at security conference if I still believed firewalls were not needed. The answer is emphatically “Yes!” The evidence over the last six years has only strengthened my resolve, but that applies only to traditional firewalls. Let me explain.
Attacks traditional firewalls are good at stopping
Traditional firewalls, with the ability to block or allow specific IP addresses and ports, really protect against only a few things. The most common scenario is to stop an unauthorized person or malware program from connecting to an unprotected or vulnerable listening service or daemon. Ignoring for the moment that routers are far faster at performing that action, times and attack types have changed.
Twenty years ago, blocking unauthorized connections made a lot of sense. Most computers were horribly secured and had weak passwords. They were not only full of unpatched and buggy software, but often had services that would allow anyone to attempt a logon or connection. You could knock over the average server by sending it a single malformed network packet, and that was only necessary if the admin didn’t have some full admin rights remote service that allowed anonymous connections. Anyone remove anonymous NETBIOS connections in Windows? I do. It was hacker gold for 15 years, until Microsoft blocked it by default with Microsoft Windows XP.
If you use firewalls to mainly block unauthorized IP addresses or protocols, a router is far better and faster at it. There is a saying in the computer security world, “Use your dumbest and fastest device first.” That means that if something can be blocked by using a faster and more efficient device, use that device as your first line of defense. It will drop more unwanted traffic faster and more efficiently. Routers have far less “upper layer” code and shorter rule sets than the average firewall. A router’s “if-then” decision loop is orders of magnitude faster than a firewall. But I’m not even sure if you need to block most unauthorized connections anymore.
Firewalls were best at stopping unauthorized remote connections to listening services, which could then be buffer overflowed to take complete control of the computer. This was a major reason why firewalls were invented. Faulty services used to be so popular they were considered the norm. Malware programs like MS-Blaster and the SQL-based Slammer worm exploited the world in minutes using them.
Today’s services aren’t nearly as vulnerable. The programming languages that coders use check for buffer overflows by default. The other operating system computer security designed to stop traditional exploit methods is very successful at doing so. Each year, Microsoft has found 130 to 150 bugs across all products that they create. Since 2003, that’s about 2,000 different bugs. Only five to ten have been remote-only exploitable. Apple and Linux computers have had far more bugs in the same time period, but the percentage of remote-only exploitable daemons is about the same.
To be clear, there have been dozens and dozens of buggy, exploitable services, but nearly all have required that a local end-user do something to initiate the attack. The user has to click on a malicious link or be tricked into visiting a Trojan web page. Why is this important? Because when the end-user does this, it creates an “allowed” outbound connection to initiate the then “allowed” resulting inbound connection back to the user’s computer. “Client-side” attacks are nearly 100 percent of all attacks and firewalls aren’t good at stopping those types of connections.
Port blocking is no longer effective
Traditional firewalls were more useful when every service in the world used its own TCP/IP port—FTP over 21, SMTP over 25, and so on. Today, the world is mostly conducted over ports 80 and 443, and increasingly only over the latter. What little network traffic isn’t conducted over 443 probably will be in the next few years. If everything works over one (or even a few) ports, what use is port blocking? Not only that, but the default encrypted nature of HTTPS makes traffic filtering harder to conduct.
Boundaries are fading away
Firewalls are the epitome of security domain boundaries. You define two or more security boundaries and then use a firewall to enforce traffic between them. The truth is that effective, securable boundaries have been dying for over a decade. They were never really perfect, but boundaries really started dying once we started to connect the internet to other networks and to connect WiFi routers into all of that.
Firewalls might have made sense when it was just one or two network boundaries, us and them, but it quickly broke down when we started adding “DMZ” and additional “authorized” networks. Once we added always-connected internet access, it’s basically game over. We just didn’t admit it.
For a long time, many IT security people thought we still had secure boundaries, but any audit would reveal them to be the Swiss cheese that they really were. I’ve never audited an internet system that didn’t have so many unexplainable network routes that the network administrator was basically just allowing every undefined pathway to continue because they were afraid of breaking some critical service or application.
Firewalls are horribly managed
Adding to the false sense of boundary security is how horribly managed most firewalls are. Almost all home users are clueless about what a firewall is and what it does, so even if one is turned on on their computer, by default, they haven’t ever seen or configured it. It isn’t much better on the corporate side even though we occasionally delude ourselves into believing otherwise.
I’ve never seen a corporate firewall that was appropriately configured. Heck, half have some insane “<ANY><ANY>” rule, which invalidates the whole reason for having a firewall. Most have far more allowed pathways and protocols than should be configured. Even if the firewall starts off perfectly configured, just give it a year. Most corporations I work with spend most of their “firewall money” buying configuration software that will help them better manage the configuration mess they have on their hands. Things are so bad they aren’t even trying to make them appropriately secure. They are just trying to slow down the unauthorized changes.
I also hate traditional firewalls for their horrible logs. Every firewall log I’ve seen contains millions of events that, while accurate, have absolutely no usefulness regarding real security. Firewalls are full of so much “noise” that any potentially useful event that an administrator might need to pay attention to is lost to distraction.
Lastly, enterprise firewalls are often horribly patched. In my 30-year career, half of which was spent doing security evaluations, I never found an up-to-date, fully patched firewall. On top of that, many of the device and appliance firewalls that I reviewed had publicly known bugs in them. Instead of being the bastion of security, they became yet one more potential attack vector.
How about smart firewalls?
Today’s modern firewalls do more than just filter ports and sockets. They can act as VPNs or HTTPS inspection proxies. They can perform intrusion detection/prevention, filter URLs, block upper layer attacks, stop DDOS attacks, and even perform inline patching. Firewalls have morphed into so much more than simple port and protocol blocking.
I still don’t believe there is much value in the traditional firewall actions of blocking and allowing different IP addresses and ports, but what most firewalls do today is much more than that. Firewalls have morphed from strictly perimeter-based bastion defenders into protecting the internal “crunchy” layer. If you look at the list of services provided by today’s firewalls, you’ll see as much client-side protection as you will network protection. That’s a good thing. That’s welcomed. That has value.
If you’re considering a new firewall, look at those that offer control features to offset the biggest risks (e.g., URL filtering, attachment filtering, patch discovery, or inline-patching). The firewall you use today should not be the firewall your parents used.