Advancing Firewall Evils to 10-Tuple
When I first started working with firewalls some 18-odd years ago, the revolution of “stateful inspection” was just starting to take hold. The explosion of Internet bandwidth (laughable now) to DS3-type speeds was driving everyone away from the proxy solutions they had in place to this awesome new security device.
All firewalling concepts were geared to the 5-tuple, situating the firewall firmly in the L4 space, but even then the market leaders defied that definition. Anyone that tried to pass active FTP without the properly CRLF formatting in the command channel was painfully aware of just how far up the stack the “L4 firewall” could go.
Of course, back then you made a good living knowing how to turn those security features off (probably not selectively) so you could make the network work again. Now, we’re all trying to figure out how to program the network properly so we can exert control over the 10-tuple, which eliminates the need for stateful inspection, right?
The answer to the question requires some thought regarding basic concepts. I start with wondering: “Why does the network exist? What’s its purpose?” For me, the answer is that the network provides nothing in and of itself, it exists to supply services to users of those services. With that in mind, we can start by wondering just what it is the firewall does for us.
Some past thought patterns would be, the firewall:
• Stops users from consuming unauthorized services (SSH, for example) – which seems like something the service should do, right? If my network can manage flows, why can’t my service manage who consumes those services?
• Prevents bad actors from exploiting misconfigurations and vulnerabilities on the network and overlying services – but isn’t the network intelligent enough to protect itself and the services that ride on top of it?
For me those are all good reasons for the existence of the firewall, but not quite succinct enough. I think the firewall exists to manage and filter what would otherwise be (or has been) unmanageable.
There’s always been a “better way” to secure your services: fix your vulnerabilities and deploy host or service-based security. But how is that working out at the enterprise scale? The firewall has always been a necessary evil. Should we need it? No. Must we have it? Yes.
In conclusion, I don’t think the firewall is going away. Rather, it will be something different than what we know today.
It may not be a network device, rather than something that exerts control over the network. It may even have a different name and we may even be able to discard our “burning brick wall” icons. It must have certain features that give it modern relevance – identity management/enforcement, service awareness, but that whole line of thought is a blog post in and of itself.
It is a point of trusted enforcement in our network – a necessary evil – that we will continue to rely on as part of our “next-next generation” security environment.
Join The Conversation
We encourage you to share your thoughts, and we look forward to reading your comments. We invite you to follow our blog to keep up with the latest posts of our new series.