The other day the Director of Engineering at my new job asked me why we install firewalls. He admitted that he already had an answer, but that he wanted me to document it for all the network engineers who frequently asked him this question. The problem is that I’ve been asking myself the same thing for a few years now. At first, the only response I could think of was, “Because of the checkboxes,” and almost sent him this:*
But I don’t think that’s what he really had in mind. Then I brought up the discussion with a friend at my old job, sarcastically proclaiming, “Firewalls are no better than speed bumps.”
Because of my antipathy for firewalls, the question and my offhanded remark sent me down a mental rabbit hole as I tried to work out why it continued to bother me. Like my first love, firewalls have left me disappointed over unfulfilled promises. Vendors arrive at your enterprise, frighten you with phrases like Advanced Persistent Threat, then dazzle you with their Next Generation Technology and location in the Magic Quadrant. But once you deploy the technology, you find out what happens when you try to turn on all the nifty features that are supposed to protect you. The published line-rate becomes a fantasy or you end up breaking applications. You also discover that firewalls aren’t all that difficult to bypass anyway. “Hey Harry Potter, where’s the magic in that quadrant?”
Good network engineers spend countless hours designing infrastructures to optimize speed and minimize latency, but then the security engineer rides in on his short bus throwing in a big, expensive choke-point telling everyone, “It’s for compliance!” This infuriates the network engineers who have to make unicorns puke rainbows in order to overcome the limitations of said security appliance. The sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. And everyone waxes rhapsodic for those bygone days when the end-to-end principle ruled the internet.
But then I started to think about the original meaning of the term firewall and found the following in the Oxford American Dictionary:
A wall or partition designed to inhibit or prevent the spread of fire. Any barrier that is intended to thwart the spread of a destructive agent.
I experienced a powerful moment of cognitive dissonance, realizing that a firewall isn’t supposed to prevent fire, just keep it from spreading. It’s really about containment. Maybe the problem isn’t in the technology, but our expectations. We don’t install locks thinking they are completely burglar-proof any more than we believe that a house built to code in Southern California will prevent all earthquake damage. So why do we think we can keep the bad guys at bay with some technology? Even the US military, with its massive resources (i.e. our tax dollars), and large security firms can’t (Yes, RSA we’re going to talk about you for a very long time and not in a good way.).
Then I thought about my offhanded comment about firewalls being speed bumps. When I looked that up, I found:
A ridge set in a road surface, typically at intervals, to control the speed of vehicles.
The moral of this blog post is that your firewall was never intended to prevent fires aka intrusions. You use firewalls to slow down an attack or keep it from spreading too far into your infrastructure. They’re only part of an overall security strategy which might include proxy servers, DLP, IDS/IPS and a solid incident response plan. And if you haven’t included remediation of an attack in this plan, then you’re in denial of the inevitable and what you really want is an airwall. Go unplug your uplink. So back to the original question, “When is a firewall like a speed bump?” Answer, “When it’s doing its job.”
*No PCI-DSS auditors were harmed in the creation of this meme.