Americas

  • United States

Asia

Oceania

roger_grimes
Columnist

The firestorm over firewalls

Analysis
May 17, 20128 mins
Data and Information SecurityFirewallsHacking

Two days ago I declared that it was time to deep-six the firewall; the rebuttals were fast and furious. Here's my response

I love offering opinions that generate comment after comment about how dumb I am, as my post “Why you don’t need a firewall” has achieved. Little do these detractors know that my family and classmates said much meaner things as I was growing up, so it’s like water sliding off a duck’s back. I appreciate most of the comments — because many were valid.

Some commenters, for example, guessed that I might have been exaggerating the tone of the article for effect. Mea culpa!

[ Also on InfoWorld: Find out what set off the sparks in “Why you don’t need a firewall.” | The Web browser is your portal to the world — as well as the conduit that lets in many security threats. InfoWorld’s expert contributors show you how to secure your Web browsers in this “Web Browser Security Deep Dive” PDF guide. | Keep up with key security issues with the Security Central newsletter. ]

But I stand by my main point, which is that firewalls have significantly less value today than they did years ago. Many readers focused on one point: that misconfigured and mismanaged firewalls are worse than useless. That’s true. But my main argument, that most of today’s successful threats don’t care about firewalls, is much more relevant. Firewalls are victims of their own success: They forced attackers to move up the stack and pick outgoing ports that are always open (ports 80 and 443).

Bones of contention Some readers pointed out that firewalls are great at auditing, blocking denial-of-service attacks, and configuring quality of service. True, but routers and proxies are even better for those tasks. In an optimally configured environment, you let the dumbest (and fastest) device do most of the work.

Another contention was that firewalls are great at blocking ports of vulnerable listening services. This is true, but there aren’t many vulnerable remote services anymore; even when they are vulnerable, vendors offer patches faster than companies can approve new firewall rules. Let me ask you: When the RDP exploit was out last month, did you apply the patch or block the firewall port? I bet the former rather than the latter.

Many readers told me that firewalls are good at deep packet inspection. Sure, but a properly designed service doesn’t need deep packet inspection to protect it. Deep packet inspection is computationally very expensive. It slows down the network and generates a ton of false positives. Almost none of my clients with devices capable of deep packet inspection use it. You’d be better off with a service that isn’t prey to the type of threats prevented by deep packet inspection; a well-designed service is faster, better, and stronger.

Show me a scenario where you think a firewall excels, and there’s a good chance you’re using it in place of a device or solution that would do the job better or more securely.

The security industry versus me The president and CTO of Firemon, Jody Brazil, had one of the better retorts to my column. Here’s the first part:

Today Roger Grimes posted an article on InfoWorld about the overdue death of the firewall: “Why you don’t need a firewall.” His case rests on two primary arguments: 1. The firewall doesn’t protect against modern-day threats, specifically client-side vulnerabilities and the fact that all apps run over port 80 and 443 that can never be blocked in the firewall and 2. The firewall is managed so poorly that it causes more problems than it solves.

I’ll agree that these are my main two points, but I’m far more vested in the former than the latter.

Let’s separate these two points to more logically discuss each, starting with the value of a firewall in today’s threat environment. I take significant issue with his statement that, “Today, 99 percent of all successful attacks are client-side attacks.” This is not substantiated by any research for good reason; it isn’t true.

Ah, but it is true. Get rid of the browser on a computer and nearly all risk goes away. Most successful exploits happen because of client-side malware — even attacks that eventually reach the server and/or compromise data. Just ask McAfee, Symantec, Microsoft, or any of the other major companies that monitor and sell computer security protection. If we could stop people from clicking on things they shouldn’t, the world of computer security would be far easier.

Successful client-side attacks number in the tens, if not hundreds of millions, per year. Go find your biggest hack that didn’t require the end-user to be involved and respond back to me in public. If you search long enough, you’ll find a few that hit maybe a thousand computers in their lifetime.

The Verizon Data Breach Investigations Report actually discusses successful attacks in significant depth and completely invalidates this point. It reports that 81 percent of all attacks and 99 percent of lost data is a direct result of “hacking.”

I’m a big fan of the Verizon Data Breach Investigations Report. However, it focuses on large data breaches that Verizon and its partners have investigated. It doesn’t cover the residential world, which is far larger than the corporate world. It doesn’t cover the small businesses that either didn’t suffer huge data losses or didn’t call Verizon or one of its partners. For the most part, Verizon only gets a call when the company involved has been hacked by humans. That would have a tendency to skew the data, don’t you think?

If you want a better count of client-side attacks versus hacking, ask the big antivirus vendors, who cover clients of every size, big and small, commercial and residential, regardless of the attack vector. They report on the tens of millions of socially engineered Trojans caught each month across hundreds of thousands of companies. The Verizon report covers 855 incidents for the year. Who has a better measure of what is impacting a broad cross-section of customers the most?

Even Verizon’s report backs me up. Yes, hackers and hacking are involved in stealing data. But the successful compromise that got the hackers into the business in the first place was usually a client-side attack. The human hacking came later.

Don’t believe me? Check out Figure 2 (page 8) in the 2012 Verizon Data Breach Investigations Report report. It shows how companies got exploited — and how that yielded the hacking statistics you base your claims on. Exhibit No. 1 is a client-side attack. Further, without the client-side attack mentioned at the outset, the human attacker wouldn’t have been successful. As far as I can tell, I don’t see how a firewall would have helped in the scenario Verizon is reporting as how companies got hacked.

It goes on to specify that access to remote services (e.g. VNC, RCP) “combined with default, weak or stolen credentials” account for 88 percent of all breaches. The assumption that 99 percent of attacks are client-side is dead wrong.

The exact quote is, “Remote access services (e.g., VNC, RDP) continue their rise in prevalence, accounting for 88 percent of all breaches leveraging hacking techniques.” This is from page 32 of the 2012 report.

The report is saying that of “breaches leveraging hacking techniques,” 88 percent use remote control services. It’s not the same as saying 88 percent of breaches used hacking techniques. I’ll bet you that the VNC and RDP being abused was already installed and used by the victims — at least, that’s the case for every hacking victim I’ve ever investigated. The hackers are simply using the legitimate services already installed and used by the IT staff. Firewalls aren’t going to stop that.

Modern firewalls do more But my antagonist doesn’t stop there. Brazil also brought up the fact that firewalls are getting better:

It would also seem that Roger is ignoring new advancements in firewall technology. Next-gen firewalls are specifically adept at helping prevent the client-side attack. No longer is port 80 and 443 an open highway of access through which everything can pass. User-based and application-based policies permit effective control of outbound access.

I’ve been hearing about firewall advancements and next-gen firewalls for 20 years. When are they going to be advanced enough to stop most hacking? It’s like waiting for antimalware scanners to stop computer malware. It hasn’t happened, and it never will.

In the Verizon report, the experts tell large organizations what to do to prevent attacks like the ones mentioned in the publication. That advice does not include “install and use a firewall” or even “install an advanced firewall.” Why? Because most of these hacked companies already use good firewalls — many firewalls, I’m sure. In fact, nearly everyone is already using firewalls — including advanced, superduper firewalls — and they still get hacked.

If your next-gen firewall can stop all the hacking you claim it can, why not put that in writing as a guarantee? Not just a money-back warranty, but as a promise to pay for all the costs of the cleanup associated with the attack.

I want to thank Firemon’s CTO and president for engaging in this debate. I don’t mean to belittle anyone’s point of view, and I respect Firemon and its products. But it doesn’t change my opinion.

Think about it: If firewalls really did stop as much hacking as they claimed, things wouldn’t be nearly as bad as they are today.

This story, “The firestorm over firewalls,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

roger_grimes
Columnist

Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author