Today, InfoWorld posted an article written by Roger Grimes called “Why you don’t need a firewall” that takes a narrow viewpoint and doesn’t account for how firewall and policy management technology has evolved. If the point of the article was to get a reaction from security professionals, then mission accomplished. I think this article serves as an opportunity to examine how firewall technology has evolved (just as threats have) and really hone in on improving management of security policies, which is a challenge that Roger notes (but instead of using that as a jumping off point to discuss how to improve processes, he uses that as an excuse to say the firewall is obsolete).
Let’s dig into the two most egregious inaccuracies in the article…
While I agree that many firewalls are “horribly managed”, poor management does not mean we should get rid of firewalls… it means we must make it a point to improve firewall policy management!
- In research that AlgoSec conducted (see the blog on The State of Network Security 2012), we found that poor processes are the greatest challenge when it comes to managing network security devices. This includes time-consuming, manual processes, lack of visibility into the policies themselves and poor change management. Interestingly, the survey also found that out-of-band firewall changes accounted for a system outage more than 50% of the time. Not only do manual, time-consuming processes lead to greater risk, cost, burden, etc., but they also lead to shortcuts, which can have a significantly negative impact on the business.What I’d argue we should focus part of this discussion on is how to improve these processes to reduce firewall mis-configuration and policy bloat. IT and security teams should be sharpening their processes for managing firewall changes – so that they do not introduce new risk and so the organization can also remain agile to the evolving business demands. Organizations should also be researching and investing in automation solutions to reduce human error (and in turn risk) and improve operations.
- The second statement I take issue with is where Roger writes: “One of the biggest reasons why firewalls don’t matter is how every app and service being developed today works over either port 80 or 443, two ports you can’t and never could block.”What about next-generation firewalls (NGFWs)?!?! NGFWs are a technological advance that makes Roger’s point outdated. Sure a traditional firewall cannot filter the advanced “bad” traffic because there is no ability to more granularly define and enforce the policy. NGFWs address this at both the application and user level. So you can have port 80 and 443 open and still have policies that minimize risk of these advanced threats by blocking specific applications and users. There’s no question firewalls have a place in today’s network. Just take a look at the latest Gartner Magic Quadrant for Enterprise Network Firewalls or any of the solid financials recently announced by the leading firewall vendors.Again, I’d like to focus on the positives of having this discussion. Next-generation firewalls provide more granular control through application and user aware policies that address the original article’s concerns. Additionally, AlgoSec’s research also found that while 84% of respondents felt more secure with next-generation firewalls in place, 76% said it added to the burden. So there seems to be room for more evolution, in terms of technology and process. Instead of focusing on what firewalls don’t do, let’s examine how we can get the clear value from NGFWs without the administrative overhead.
Organizations certainly do need firewalls, but they need to have the right type of firewalls in the right spots and they need to stay on top of their firewall policy management.
Subscribe to Blog
Receive notifications of new posts by email.