In a previous post on IPS, I made a fairly negative comment on the value that you get from enterprise firewalls in the modern environment. At the time, I said that I was just going leave that comment hanging and see what happened. Well, precisely no one challenged me on it, which means either everybody agrees with me, or that most folk were just hoping to avoid me getting on my soapbox for a good howl at the void. If it was number two, you’re out of luck – here I go.
A Brief and Largely Inaccurate History of Network Security
At the beginning of the modern era for all things networky, there was no such thing as “network security”. After all, the user base was so small and specialised that, really, it didn’t make sense to worry about security. Everything was open, and it was a time when everybody shared resources on mainframes as peacefully as hobbits making cider. Most networks were completely self-contained in a small area and consisted solely of LAN technology.
After a while, the utility of mass computing became apparent, and non-academic organisations started looking to harness the power of the network across longer distances. To support this, cheap connectivity was required that did not require significant investment and most organisations chose to use a WAN that was already in place: the PSTN. Since the PSTN was also available to ordinary people too, this created a security problem, since any wingnut with a modem, a microcomputer, and a decent knowledge of how to use them could connect to a system and abuse it. This still wasn’t a massive issue, and the problem could usually be solved by using obfuscation and basic security controls such as passwords.
As more businesses and organisations adopted WAN technology, they wanted to be able to connect networks together. At the same time, the US DoD wanted to be able to connect critical defence infrastructure together in a way that would be resilient to attack. Lo, the Internet was born.
The Golden Age of Firewalls
The move to a large scale WAN such as the Internet and the connection of separate administrative domains meant that networks had to be protected from each other. The concept of the firewall began as a 5-tuple used to make policy judgments on traffic passing through a network perimeter, with the criteria being:
- Source L3 address
- Source L4 port
- Destination L3 address
- Destination L4 port
At first the standard technique was to use a blacklist approach, where “bad” traffic was denied and everything else allowed through. Pretty quickly, it became apparent that this method was asking for trouble, and so most people moved to a whitelist approach, where you define the traffic that you want to traverse the firewall and deny everything else. Modern firewalls apply this approach by default, with an implicit deny statement at the end of all rule bases.
It soon became apparent that statelessness – by which I mean that the firewall did not track outbound connections and automatically allow return traffic without explicit rules – was not very efficient. Now, firewalls will usually operate statefully, and we’re all much happier as a result. Or at least I and everyone I know who’s ever had to manage a firewall rule base is. Then, NAT came along and ruined everything.
NAT: An Ugly Hack for Ugly Times
I don’t intend to go into how NAT works, or why it was spewed into being. I assume that if you’re reading this, you have a pretty good handle on NAT. Suffice to say that NAT is responsible for 97% of all cases of leprosy in squirrels*. NAT was a hack to get around an ugly truth and designed to avoid us having to confront the fact that we’d built an Internet that was too small.
The problem with NAT is that it breaks things, and the main thing it breaks is the end-end rule. This is the concept that hosts at either end of a connection should be able to communicate directly without intervening devices changing port numbers or interfering with traffic. Breaking this rule causes all sorts of problems with checksums and other horrors.
The Modern Firewall
So here we are. At the present time, we have firewalls that break the end-end principle with NAT and filter traffic based on the original network security 5-tuple. Now, I don’t know how many of you actually read your logs (everyone, surely!) but a cursory glance at most rulebases will show that the traffic that is being allowed through a typical firewall falls into one of the following categories:
You may also see application traffic in there on other ports, and perimeter firewalls will be more tightly configured than internal ones, but the point is that most modern firewalls allow little traffic through. This was a good thing back in the old days because the typical attacker would be scanning for services to exploit. It therefore made sense to restrict inbound traffic to ports that you wanted to provide services on and absolutely _had_ to be exposed to the end user. That worked for a while, until the bad guys realised that, actually, all the interesting stuff is on the web server anyway, and – hey – it supports HTTPS, so I can tunnel attack traffic through without worrying about it being inspected. So, the attacker will drop some horrendous payload on your web server and pivot into the rest of your network using SQL injection or something similar. Game over – thanks for playing.
A fair proportion of traffic passing through firewalls is encrypted. This means that even if your firewall rules are tight and well documented, most modern attacks will still get through. This is exactly why companies such as Imperva and F5 have been successful in the application firewall space – modern firewalls are essentially a noise filter that stops cretins from attacking you. If the bad guy isn’t a cretin, then your firewall is nothing but a minor speed bump. Although firewalls are L3 devices, they typically have poor routing protocol support or incur a hit in terms of performance by enabling them, so they can’t even be used as expensive routers. I might as well chuck the firewalls in the bin and buy a bunch of high performance routers with a noise filter ACL applied.
Fixing the Firewall
So: your bog-standard enterprise firewall is an expensive, ineffective appliance that can’t even route properly. Now what?
Happily, firewall vendors realise that they risk irrelevance in the network security space unless they innovate, and several have jumped on the “Next Generation Firewall” (NGFW) bandwagon. Definitions differ, but broadly speaking, a NGFW essentially consists of a standard firewall with additional security controls layered on top, such as IPS, application awareness, and potentially content inspection and identity awareness. Depending on your firewall platform of choice, these features may be licensed extras and may have an egregious impact on your firewall’s performance. The vendor also gets to sting you for a signature update subscription, since IPS and content inspection typically rely on signatures. It can be difficult to persuade some security bods of the benefits of turning this kind of functionality on, especially if they have a “one function per appliance” fetish. Stay at it, the benefits of collapsing this functionality into the firewall will tell in the end.
NGFWs can be an appropriate way of getting further value out of existing investment in firewall platforms, but can be expensive to buy and implement. As an alternative, you can layer other defences in, such as IPS and application firewalls. If combined with a network visibility and aggregation layer, it’s possible to ensure that traffic is automatically redirected to the appropriate tool. You can also look at solutions like Host-based IPS on Internet facing servers to reduce exposure. Whatever else you do, ensure that all your security controls are logging to some form of log management system and proper analysis is being done on the logs.
Firewalls are the Network’s AV
And by that I mean: still necessary, but largely useless. It would be a brave company indeed that went completely without firewalls of any sort, but the value that we, as security professionals, get out of them is rapidly diminishing. As NGFWs and other platforms add capability, we’ll slowly move away from the firewall as a technology in its own right, but for now, we’re stuck with the stupid, broken things.
* This is categorically not true – but it should be.