Several articles and blogs (here, here and here) recently have questioned whether or not one needs a firewall in order to be secure anymore. In fact some have even said that more than not helping, firewalls can actually hurt as they represent a bottleneck in the network. So has time passed the firewall by? What if any role should firewalls play in today’s network?
Of course there have been some who have said that the perimeter firewall is obsolete for some time. The Jericho Forum position on the perimeter for instance is a perfect example. While others may think that the Jericho Forum is too radical, they have built their case.
When you think about it, the firewall doesn’t really cover the CIA basics of security. It doesn’t solve confidentiality like encryption or passwords (setting aside the VPN function of a firewall), it doesn’t solve integrity and it doesn’t solve accessibility (in fact it specifically denies access as its primary job duty). So what does the firewall do then?
To me the firewall’s function is best described as: limiting risk. The purpose of the firewall is to limit how much “attack surface” you have to worry about securing. Save yourself some work, avoid the pain of mistakes, prioritize effort and reduce the visible attack surface to attackers. Summing it up, it is having a lower risk profile if you will.
In fact, every “accept” rule in the firewall is a breach waiting to happen. Meaning you have to very diligently manage the exposed service: keep patches up to date, monitor for application layer attacks, monitor for signs of a breach, and implement some compensating control. Every one of these options has an associated cost attached to it. Your firewall is a way of limiting this cost and expense by limiting the risk. That way, when the IT department stands up a new server sans the latest patches and leaves it in the default configuration, it doesn’t put your entire network at risk.
Of course, I am just scratching the surface of the full capabilities of modern-day firewalls from protocol enforcement, activity logging, application awareness filtering, IPS capabilities, VPNs and more. These additional capabilities further enhance the value of the firewall. But even the most basic, fundamental purpose of the firewall, controlling access, continues to play an important role in the security of the enterprise.
However, if controlling access remains a valuable role for the firewall, then it is obvious that configuring the firewalls to control the correct access is critical. This remains a challenge today, affected by the speed at which business moves and the complexity of the enterprises the firewalls protect. Without effective firewall management, it may be that some of the naysayers are right; you might be better off without a firewall. We will explore what makes for effective firewall management and the evolving role of the firewall in future posts.