Are Firewalls Dead? Not by a Long Shot - But We Need to Make Some Changes

You hear about network boundaries being gone so much that it’s easy to start thinking firewalls are dead. But exploit after exploit shows that just the opposite is true. Here are three examples:

  • BlueKeep and DejaBlue demonstrate that protocols like RDP have no business being exposed directly to the Internet.
  • Lateral movement exploits like that in the Equifax debacle show that more segmentation is needed so that a single unpatched server doesn’t result in your most important database going up in smoke
  • The Capital One data breach shows that cloud resources need firewall protection too – not just on prem

Most web applications are now really two applications in one. 1) The single page or progressive app runs on the client with all its source code in the clear text for bad guys to pursue and 2) the application API that goes between the client and back-end servers. But that can just easily become an API for the bad guys.

And don’t get me started on IaaS storage accounts like AWS S3 buckets. Something no one is talking about much with hacks like the Capital One breach is: why are corporate datastores accessible from the web in the first place? That may be the default when you create a storage account in the cloud, but it doesn’t have to be that way. When you create cloud resources you can limit them to be accessible to only other resources within the same tenant, to specific virtual networks in the cloud. To rely simply on cloud IaaS authentication as the only thing between the Internet and a corporate datastore is wrong on so many levels. First, developers will always take shortcuts if allowed and in the cloud that means using static, hard-to-protect storage keys. But beyond that, all it takes is one mistake – like the WAF misconfiguration in the Capital One breach. It’s all about defense-in-depth.

Putting everything in the cloud and not designing network security into the architecture is like taking your on-prem network and putting all your storage arrays and servers on the Internet and expecting each device and system to defend itself.

In this webinar, we will look at network security and the evolving role of the firewall. First, we will discuss the two overall classes of firewalls:

  • Traffic policy enforcement points
  • Full-stack next-gen / deep-packet-inspection firewall products

Those two categories may cause you to widen your scope as to what constitutes a “firewall” because by #1’s definition, anything with a network ACL is a firewall. That means routers, switches, access points on prem and then in the cloud, it brings into scope network security groups and cloud resource endpoints.

It’s an important distinction because what we need are more enforcement points and more granularity in policy. That’s the whole premise behind the holy grail of zero trust and microsegmentation.

But with more firewalls and more rules on them, we risk making the #1 problem with firewalls even worse: misconfiguration.

Just released, FireMon will review their 6th annual State of the Firewall report. This year’s report is highly illuminating and will reinforce many of my key points.

One such example shows 36% of respondents stated that firewall misconfigurations account for 10-24% of approved changes that require rework!