Your Firewall Sandwich Gives Me Indigestion

28 May 2012 by 10 Comments

The other day a discussion came up on a security mailing list regarding the proper method for implementing “defense in depth.” I was horrified to hear that some thought having two layers of firewalls from different vendors achieves this goal, and I responded with the following statement, “Ah, the firewall sandwich: it gives me indigestion.”

I’ve been very clear in my assertion that firewalls aren’t enough protection, they’re only speed bumps in the path of an attacker. They should be considered one element of a holistic security strategy. The Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, defines “defense in depth” as,

IA [information assurance] strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of networks. Synonymous with security-in-depth.

Organizations seem happy to throw lots of money at technology and operations, but when it comes to the people component, i.e. policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As a security engineer, if I don’t have clear policies as my set of requirements, how am I going to determine the appropriate network segmentation and protections to put in place? I’m not the data owner, I’m only the custodian.

It’s like an architect designing a house without knowing where it’s going to be built or how many people are going to live in it. Even the brilliant, eccentric Frank Lloyd Wright didn’t ignore the requirements.  He may have built a house over a waterfall , but his design was still grounded in the existing landscape.  In information security, data represents the digital landscape of a company. It has varying levels of value and should be segmented accordingly, with security controls applied and documented.  An information classification matrix represents the foundation of any security design.

Consider some of the newer topologies which seek to flatten the network to optimize east-west traffic. What about the impact of the Software Defined Network (SDN), which decouples the logical from the physical? Data classification becomes even more critical when using SDN or IPv6 CALIPSO to create logical segmentation. We’re networking professionals, not psychics, so someone will need to tell us how the traffic is allowed to flow and when security controls will need to be applied.

So the next time you see someone flinging firewall stencils around in a network design, ask for the data classification policy. Because this isn’t supposed to be Cargo Cult Security and there should be a reason to have them there.

 

 

 

 

Filed Under: Blogs, IPv6, SDN, Security, Work Life Tagged With: , , , , ,
About Mrs. Y

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

  • pavketu

    Great article. I’m guessing we’d do real security if we didn’t have firewalls. As an industry, we must quit overselling firewalls.

  • Fernando Montenegro

    I think the article makes a number of interesting points and the soundbite is catchy. I may use it in the future… :-)

    A few points on the rest of the article:
    - I think H Pilkington was spot on when he commented on the ‘firewall like a speed bump article’ of a few weeks ago and I’ll paraphrase one of his points – EVERYTHING is just a speed bump. I agree a 1000% with you that they’re only one piece of a bigger puzzle, but they ARE valuable in, if nothing else, reducing the attack surface and serving as choke points for traffic.
    - Personally, I find the term ‘custodian’ within the context of security engineering to be a bit of a cop-out. Yes, there are ‘data owners’ and ‘custodians’ but in most organizations the security professionals are tasked with providing subject matter expertise to the topic, not merely ‘following orders’. That being said, once the business has made the decision – with input from, among others, the security professionals – the job is to secure things within the context of the business objectives.
    - To me, there are baseline security controls that in practice will end up being implemented regardless of policy nuances. Firewalls (or, more accurately, policy enforcement points) between environments with different security postures/profiles are a great example. If anything else, when discussing connectivity between separate networks, we should be discussing when are firewalls or firewall-functionality NOT needed.
    - Is there a dearth of rigor in documenting decisions/directives related to security? Yes, there is. Should it be addressed? Yes it should. Also, your points about the impact of changes such as IPv6, SDN, … are spot on.
    - I think that more than asking for a ‘data classification policy’ from those firewall-stencing-flingers, we should be having a serious discussion as to what functionality the firewall brings to the overall design. Chances are it really belongs there…

    Again, are firewalls the only thing needed for security? Of course not, but they’re not useless either. 

    Respectfully,
    Fernando

  • http://twitter.com/sanjuanswan Jerold Swan

    I used to work with a guy who thought the firewall sandwich to be the single most important feature of a security design. He even tried to get it written into a security policy that all traffic had to pass through at least two firewalls from different vendors. Fortunately he got fired before this was widely implemented, but I still ended up having to disentangle a firewall BLT: a Checkpoint “protecting” an ASA “protecting” another Checkpoint VPN appliance.

  • http://twitter.com/qxam Jason Braddy

    The cargo cult mentality has gone so far that in a previous job we were required to implement a “firewall sandwich” where both layers were identical versions of Check Point. More firewalls == more secure! Of course having all the DMZs inside the sandwich made routing and various other things a lot harder than they needed to be, and not a bit more secure, but it matched the diagram in the standard so the powers that be were happy.

  • tonhe

    Firewall Sandwich security… but, then again, I’ve always used this term to describe 2 sets of load balancers with a  firewall in-between…. afterall, who says you’re having a white bread sandwich? it’s all about the meat, right? But I digress.

    To steal a quote from F5… “Firewall sandwich” is a term used to describe a load balancing
    architecture in which redundant firewalls are “sandwiched” between 2 or
    more pair of load balancers. This design is typically deployed in a
    DMZ, with both inbound and outbound traffic load balanced across the
    firewall group, sometimes across multiple VLANs on one or both sides.
    The basic configuration uses a number of features to manage connections
    and provide the desired access to the various devices in the backend
    network.

    • http://twitter.com/MrsYisWhy Mrs. Y.

       Actually, you can actually use the term in both ways. Either with load-balancers or in relation to the old DMZ type of design. I’ve spent a lot of time researching the term.

  • Petter Bruland

    Found this site today, and very happy about it. Thanks for another good podcast. I’m not a Security+ certified person, but my boss is. But I still have to argue that placing an F5 Virtual Server IP in a DMZ, does nothing, when the server itself still lives on our server LAN. At least here I’m getting somewhere. At my last job, it was standard to have two firewalls from different vendors… One in transparent mode which the owners managed, then an ASA that IT managed. See some trust issues there?

  • http://twitter.com/Hugh_Blair Hugh Blair

    Thanks Mrs.Y – hear, hear!

    Information Security is not a bunch of circuit boards and software. Let’s start from requirements. There are many great process, requirements and policy tools in the Info Sec swiss army knife out there. Let’s use them and only then move onto the technology solutions. Various jigsaw puzzles of firewalls might form a part of the actual technology design (but only a part).

    At the same there is a balance to strike: on ocassion I’ve come across Info Sec folk (and a few BAs for that matter) who can get so “heady” and “conceptual” that the words “technology investment” are Verboten. I guess there is potential for extremes in either direction.

    Keep up the great work!

  • http://twitter.com/nkrypted Brandon Mangold

    Two thoughts, first the analogy I use is that firewalls are just a screen doors and as long as you allow port 80 or 443, you are vulnerable. At the end of the day your processes and applications have to be secure. It doesn’t matter what logo your firewalls you have if you have insecure process and applications. If we all had perfectly secure applications and perfectly hardened servers, with total trust in our administrative process we wouldn’t need ANY security appliances.

    The second thought is that, as technologists, it is our responsibility to work with an organization who has hired us to a) educate them on what they need to provide and b) help them to define what policies they want to place around their assets. Without us shepherding them, the only thing we are going to get is, protect it. Smart organizations realize that their is a cost associated with asset protection that has to be weighed against the value of the assets. Generally, they have no way to estimate the real cost so they just throw money at it and say, protect it!

  • http://entac.net/ Neil Anderson

    While I agree with the premise of the article – namely that a firewall sandwich is not defence in depth – I would argue that it is a valid approach as _part_ of a defence in depth design.  That is not to say that all traffic should go through two firewalls, but I think that in environments where it makes sense to have two layers of firewalls, then diversifying between different vendors does no harm.

    Fundamentally, I don’t believe the firewall on its own gives us much in terms of security, other than filtering out traffic that blatantly shouldn’t be there.  For me, defence in depth means using a range of technologies – backed up by well-documented and adhered to policies, processes, and procedures.  In other words, defence in depth isn’t just about technology, but also people and processes.