“The firewall is dead”, “Data is the new perimeter”, “Cloud will make the firewall obsolete” – these are just some of the quotes you hear now and again within the information security community. But I would like to counter them with a quote adapted from (renowned cybersecurity expert) Mark Twain – “The reports of the firewall’s death have been greatly exaggerated”.
Any security pro will rightly tell you that firewalls do not provide sufficient defense in today’s threat landscape. But, as I argued in a recent article for SC Magazine, firewalls are more relevant to security today than ever before. Here’s why.
#1 The Basics Matter
Despite the APT media hype, most of the successful attacks exploit known vulnerabilities. Advanced network security technologies such as sandboxing and IPS are important elements of a defense in depth strategy, but limiting the attack aperture, which is a firewall’s core function, still contributes greatly to your security posture.
I like comparing the firewall to the basic lock on your door. You may decide, based on the threat landscape and the value of the assets in your house, that your front door lock is not enough to stop attackers, and therefore choose to install an alarm system and a safe. But does this mean that you leave your front door open and not lock it when you leave the house? I would hope not.
#2 Segmentation is Key
Determined attackers have a good chance of breaking your defenses and gaining access to your network, which is why network segmentation is so important in limiting the lateral movement of attackers once they are in. The firewall is the ideal device for network segmentation (and for those of you segmenting using VLANS, may the gods of good fortune be with you). In fact, with modern firewalls including so many additional capabilities beyond just.. well …firewalling, some people like our good friends at Forrester Research have opted to call them “Network Segmentation Gateways”.
Segmentation has become so strategic that the buzz word du jour is micro-segmentation. At its extreme, it involves a (virtual) firewall on every server in the data center which segments it from all other servers. This really means adding more firewalls (the same ones that are not relevant anymore, remember?) that need to be managed. Which is why I feel the success of these initiatives relies heavily on the ability to automate security policy management.
#3 A firewall by any other name would filter just as many packets
The fact remains that the need for basic filtering of network traffic has not gone away.
“Next-Generation” firewalls include a slew of advanced features such as application and user awareness, intrusion-prevention, URL filtering and sandboxing, but the core “old-generation” firewalling functionality in case you wondered, is still there.
#4 The numbers don’t lie
Depending on which analyst market research you go by, the firewall market is boasting a 7-10% annual growth rate. Impressive growth for a multi-billion, 20 year old market.
And I would like to leave you with one last number – as part of my role at AlgoSec, I am fortunate enough to discuss network security with hundreds of companies, including many of the fortune 50. How many of these companies have plans to root out their firewalls since they are no longer relevant? You guessed it – none. Zero.
Pretty impressive for a supposedly dead technology!
Receive notifications of new posts by email.