Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Community Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Do Firewalls make sense?
Quoting Diary:

Once in a while, someone comes up with the idea that firewalls are really not all that necessary. Most recently, Roger Grimes of Infoworld [1][2]. I am usually of the opinion that we definitely probably need firewalls. But I think the points made by the anti-firewall faction offer some insight into not only why we really need firewalls, but also what people don't understand about firewalls.

To clarify from the start: I am talking here about good old basic network firewalls. No deep packet inspection rules and no host based firewalls.

From a security point of view, firewalls offer two main functions: They regulate traffic, and they provide logs. The second part is often neglected. But look over some of the stories here, and quite frequently, you will find cases in which firewall logs tripped the scale. For example the "duplicate DNS response" issue earlier this week was initially found by an observant reader watching firewall logs.

When it comes to filtering, some consider firewalls not worth the trouble because "they only filter on ports that are closed on the server anyway". I think this shows a lack of understanding of what a firewall can do protecting servers. My best firewall wins came usually from outbound filtering from traffic trying to leave the server.

The next argument against firewalls is that there are usually better devices to do the filtering: Proxies have real application insight, router and switch ACLs can usually pick up the low end port filtering part. As far as the proxy is concerned: I say get one too. But proxies are usually rather complex devices to configure correctly and I rather get the easy stuff out of the way first using a firewall. At the same time: How do I make sure my traffic actually uses the proxy? That typically involves a firewall.

A switch or a router may have many features that are found in a classic firewall (even state-full rules and some application logic). They may be perfectly fine for a home user or a small business. However, in particular in an enterprise context, you probably want to split the firewall functionality to a different device, and with that to a different group of people. The people dealing with routing and network performance ("packet movers") are usually not the same people that are dealing with firewalls and filtering ("packet droppers").

But how many "modern" attacks are really blocked by firewalls? Aren't they all sending a spear phishing email to the user, tricking the user to download malware some chinese kid wrote via the filtering proxy we installed?  Next they exfiltrate the data via that same proxy (or DNS, or SMTP... or other services we have to allow)? In part, these modern attack are a testimony to the effectiveness of firewalls. An attacker would probably rather still use the same tool they used back in the 90s to brute force file sharing passwords and download data straight from the system. But sadly, because now even some universities block file sharing using a firewall, these attacks no longer work.

Against these modern attacks, we have other defenses. Some may work against the older versions of these attacks as well. In short, these defenses can be summarized as "end point protection" (whitelisting, anti-virus, host based firewall, hardening of the system...). Hardening a large number of end points is however a lot more difficult then configuring a few firewalls well placed at the right choke points.

By now, you are probably going to ask yourself: Why hasn't he talked about "defense in depth" yet? The argument doesn't really apply if you are trying to argue removing a device. Each additional security device can be justified with "defense in depth". But  some security devices don not add enough value to justify the expense. I don't think "defense in depth" itself can be used to justify a *particular* security device. It rather justifies the fact that some of our security devices are redundant and fulfill similar, but not identical, roles.

To summarize: If the last time you looked at your firewall rules and logs was back in 2003 to stop SQL slammer, you probably may as well get rid of it. But a well managed and configured firewall can have significant value. It is one of the simpler security devices you probably have. Consider it the good reliable 6 shooter as compared to the fancy (but sometimes flakey) F-22. Which one are you going to take along to get money from the ATM that just appeared in the DEFCON hotel lobby ;-) .

 Thoughts? Flames? Use the comment feature or sent us a non-public comment via the contact form.

[1] http://www.infoworld.com/d/security/the-firestorm-over-firewalls-193409
[2] http://www.networkworld.com/news/2005/070405perimeter.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Dr. J

1653 Posts
ISC Handler
Agreed. His article made little sense. How many times have vendors introduced "old" vulnerabilities like LAND and Smurf into new systems? Or unpatched something? His RDP reasoning was bad. Everyone he knows applied the patch. What about the bad guys who knew about it long before it was patched? What about the people who didn't apply the patch?

In his rebuttal column he said if we get rid of the browser most successful attacks go away. Sure, Roger. Let's turn off the Internet as well. Then we can keep the browsers.

He sounds like an anachronism from the old Jericho Forum. Why would you ever think you could rely on 100% of clients being fully patched and properly configured 100% of the time?
Anonymous

140 Posts
I read that article yesterday as well and was SHOCKED to see that was his position!! While I agree that the firewall doesn't protect the gooey center...it still does provide a nice hard layer on the outside. Esp from the automated script recon/attacks.

Also there are a few things a firewall can help defend against which may not even have a built in firewall (printers, IP cameras, TVs, etc)

I wonder if he practices what he preaches and leaves his home internet connection wide open to the world? ;-)
K-Dee

42 Posts
How about blocking China's 123.0.0.0/8 - that got rid of about 5 percent of the logs right there.
Anonymous

6 Posts
I don't think Roger's article was "wrong". I think it made good points, and I don't agree with the conclusion for the most part. But I think we need to question old assumptions from time to time and he did so in a nice and thoughtful way.

The issue with "defense in depth" as far as the scope of this post is concerned is not that firewalls do not provide "defense in depth". Instead, that argument doesn't contribute to this particular discussion.


Dr. J

1653 Posts
ISC Handler
"Firewall" is too broad of a term to use as the basis for a conversation about getting rid of something. Anything that doesn't listen on every port as soon as it's connected to a network has a firewall of sorts. People here are going to think of standalone inline firewall devices and firewall rules inside of routers. The articles seem to be ranting about annoying firewall software on client computers.

Also, he claims that our mobile devices and TVs will never have firewalls, but since most of this stuff is linux/unix based now they already do have firewalls and only lack methods for end user configuration. This would seem to be a good thing, since we still have firewalls but have learned to configure them in ways that are not angering users anymore while still providing some level of security.

Defense is depth is hugely relevant to the argument as well. If everyone owns 5 guns and puts a gun lock on one of them the rate of accidental shootings probably won't drop much at all. That doesn't mean the gun locks don't work, it means you need to do something about the other 4 guns.
Anonymous

11 Posts
Why would anybody lock their guns? ;-) I wasn't saying that FW don't work as Defense in Depth. I am saying everything, including firewalls, work as defense in depth, so it doesn't provide a differentiator for this discussion.
Dr. J

1653 Posts
ISC Handler
Before long, the regular firewall will just be part of an IPS or layer 4 filter anyway. Why would the vendors sell us 6-shooters when they can make more money by selling us F-22's?
John

43 Posts
His position is simply wrong.

Without a firewall it's a race between your patch management policy and implementation procedures and every hacker in the world on patch day. They already know what ports are reachable and what services are running. Maybe they don't have a working exploit. But a new vulnerability is announced by the vendor on patch day, and the clock starts ticking. Can you patch all of your systems on Christmas weekend faster than they can create a working exploit?

And that doesn't even touch on the notion of zero days to be used against high profile targets.

There are services running on most systems that you do not want reachable from the internet. And it should go without saying that not every sys admin secures their systems perfectly. That's where the firewall comes in.

The reason most hackers target client software and users is because firewalls prevent them from successfully exploiting systems remotely without user interaction. Taking down the firewall vastly expands the remotely available attack surface.
Anonymous

22 Posts
This debate has gone on forever. Security is a matter of components, compartments and policies.

"Do you have a firewall?" is just one component. How about IDS? How about a comprehensive Anti-virus solution at the perimeter? Do you have a policy that requires checking log files? Do you use any web filtering/Proxy solutions? How about anti-spam? Have you checked your ACL's lately? Reviewed your static routes for NAT? Is there any cruft in your network design or do you review it and make changes on a regular basis?

Inside the network is patch management, AV, Least Privileged User, Encryption, password policies, and on and on. Granted, inside the network is the most problematic place for an IT professional to defend because that is where our end users reside and interact with our networks. Do you have end user education as a part of your security strategy?

I agree that you can't count on a firewall to be a panacea for all of the ills that we face. But it is now, and will for the foreseeable future be, a major component in a comprehensive security solution for any enterprise network. One piece of the puzzle, not the whole enchilada.

We know this, though. On a daily basis we deal with every level of security from the guy behind the keyboard to the VLAN's to the routers to the gateways and the firewalls, etc.

We make sure that if someone does drop something onto our systems that even between services or daemons we have at least SSL connections set up so that all of those communications are secured end to end. Or we should.

Regardless, if we don't have at LEAST a firewall in place with some well defined rules, the rest of the security strategy makes no sense at all.
Anonymous

1 Posts
Now that we all agree that firewalls work, who knows one that can REALLY work in an IPv6 environment? Form what I can tell, none actually do very much. IPv4 features are well supported in all firewalls, but IPv6 is almost non-existent.
Al of Your Data Center

77 Posts
We need firewalls to do layer 3 & 4 filtering and logging. Above layer 4, the difference between firewalls and other network security technologies becomes blurred and their capabilities are up for debate...
Anonymous

1 Posts
A point which Johannes touches on but I always think is overlooked by the anit-firewall (or anti-any old school device which doesn't protect against modern attacks) is what will happen when you take them out. Yes, all modern attacks are phishing/against applications/etc so layer 3/4 filtering devices are no longer necessary. So everyone take them out and watch how fast attacks revert back to where they used to be. As he says, the fact they aren't seen as important any more is a testament to their effectiveness.
Anonymous

4 Posts
One point to add. It's not that all modern attacks are more sophisticated/socially-engineered it's that we have become numb to the normal network attacks that have never stopped. The reason they are not on our radar so much anymore is because of good firewalling...
It's the same old attitude of not wanting an army because you haven't been invaded, when it's the reason you haven't been :)
Anonymous

8 Posts
What we have here is a classic case of operations (in this case making money) versus security. It's an age old tale that we all have been dealing with since the beginning of time. Or at least since the dawn of the information system. Executives, who are worried about their bottom line, what a silver bullet that will protect them from the insider threat (read ignorance of users). If they didn't have to spend money on creating a security education program to make their employees aware of the dangers of the interwebs and the many nefarious utilizing this vast expanse of a tool think of all the money they would now have at their disposal. Executives salivate at that prospect. Let's face it, as security practitioners, engineers, gurus, experts, etc. we aren't cheap. We add overhead to a budget that is already tight and it's hard to see the ROI on something that doesn't contribute to the bottom line. What these executive types fail to realize is that we are in the business of preventative maintenance (i.e. preventing them from losing money, preventing them from having to testify before congress, preventing negative publicity). But a lot of times, due to budget constraints, we are dealing with reactive measures to counteract the bad that has occurred on our networks. I think what it really comes down to is educating these upper level management individuals on what exactly our security benefits are, and using what they understand best to do so. I'll give you a hint, MONEY!!! This is what these individuals understand as this is what they are most concerned with at the end of the day. How much is coming in, how much is going out, which programs are good investments and which are sucking the company dry. Since security really doesn't bring anything to the table (as far as money goes, unless you're a security vendor yourself), it is constantly taking from the table. So executives are constantly going to be looking for the silver bullet, the magic pill cure all, that only exists in fairytales. And until we as a security community can come up with an effective way to put our security issues/concerns in terms these individuals can understand we are going to be constantly fighting the same battles and listing to individuals pontificate about how certain security implementation aren't needed, when in fact, much like the firewall, they are. We'll get there. It just takes a group effort pushing toward the same goal.
Anonymous

2 Posts

Sign Up for Free or Log In to start participating in the conversation!