Is your firewall running? Well maybe you'd better catch...ah never mind, it's an old, unfunny joke.
But seriously, is your firewall doing anything for your security? No, really. With so many of today's attacks coming over port 80, is your firewall providing any defense anymore? Has the firewall outgrown its usefulness and been passed over by a new generation of sophisticated attacks? Well, that is what Microsoft security expert Roger Grimes thinks.
RELATED: Security: An Inconvienient Truth
Roger writes for InfoWorld and back in May he set off something of a firestorm in the security industry when he suggested that firewalls are dead. Ever since there has been a back and forth over this alleged heresy in the security arena. Roger published a second article on his views where he did a nice job of responding to some of the more reasoned responses to his original article.
Of course people have been proclaiming that security technologies are dead for some time. My friend Richard Stiennon is famous for it. In fact, I asked Richard if firewalls are dead and he said no security technology is dead until he says it is.
But still, the question remains. Have firewalls not kept up with the newest attack vectors? Next Generation Firewalls you say? Well according to Roger, while they have certainly sold tons of them, he never sees anyone actually using them. I had a similar experience with Intrustion Prevention Systems (IPS) back in the early days of the switch from IDS to IPS.
So I wanted to dive in here a little bit more. I invited Roger and some friends of mine to discuss just how useful firewalls still are. Joining Roger and me are Jody Brazil, President of Firemon (full disclosure, I do some consulting for Firemon), and Andrew Braunberg, a long-time analyst covering the security space. I should mention that I invited Richard Stiennon as well, but Richard is so busy promoting his new book, Up and to the Right, that we just could not work the scheduling out.
Jody wrote a well reasoned response to Roger's original piece on the firemon blog. While he understands Roger's points, he just doesn't agree with them. Firemon works closely with Palo Alto and other NGFW vendors and his experience is there are a lot of them in place and turned on. Andrew, being an analyst, says that while Roger has some antedotal evidence on firewalls, the overall market data just does not bear out his views. In Andrew's research the first reports of firewalls being obsolete are back in 1996. They certainly weren't obsolete then, and according to Andrew, they are not obsolete now.
My view is that the firewall is a victim of its own success. Yes, we don't see those old-fashioned buffer overflows anymore (for the most part). But maybe that is because firewalls have made them too dificult to succeed. Yes, software is written more toward security now (at least I like to think so) and that helps as well. But overall firewalls have done a great job of thwarting the kinds of attacks they originally were designed for. It is Darwinism at work that the success of firewalls have forced malware creators to be more creative in designing malware that goes around firewalls. And they have done that for sure. But now we have NGFWs that are application-aware and promise to combat this new class of threats. I say remove the firewall and watch how quickly the old threats return.
Jody Brazil makes another point. The role of the firewall is important. It is in many ways all about access control. Even if you don't use it to stop malware, you can still use it to control the flow of data in and out of the network. The cloud represents a whole other class of attack as well. What firewalls will do with that is another story.
We could have probably gone on all night discussing this subject. Maybe we will at a future RSA or BlackHat or some other security conference. But I had to cut this conversation off after about 20 minutes or so. You can listen to it in its entirety below.
I hope you enjoy it and am very interested in what you think. In your opinion, are firewalls dead?
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.