Friday, October 07, 2005

Firewalls are dead!!

From SC Magazine http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=7e41c682-23df-4065-beb3-e7bd85c2284e&newsType=Latest%20News&s=n

The specific comment I want to rant about today is about the death of firewalls...
"At the same event a TippingPoint VP predicted a swift end to firewalls. Gregory Fitzgerald, the IPS company's VP of marketing argued that the technology would soon be overhauled.
"Who cares if companies are pushing out firewalls now?" said Fitzgerald. "With more and more technology requiring open ports [such as VoIP] security has to be elsewhere to ensure the networks remain safe.""


When are these security vendors going to realize that this sort of soundbyte does nothing to help security practitioners do our jobs?

There is a nugget of truth in what he says. As modern applications require more and more ports to be open firewalls become increasingly like swiss cheese. It does to some degree decrease their usefulness in protecting that particular application! This is an extension of the old adage of "You can't deny what you must permit". This adage tells us that you need to apply a defense in depth strategy and protect the server, operating system and application as well by providing mitigating strategies such as IDS/IPS, server hardening, application monitoring, host based IPS, log correlation, etc..

But this does not mean the firewall is dead. It is still a useful defense mechanism for preventing attackers from mapping your network and providing a first level of defense to the servers, and operating systems which house the applications.

Guys like this may succeed in selling more of his companies IPS products, but they just make security architect's lives more difficult when application architects say "So and So said firewalls are dead, so we are not going to deploy one in our Internet facing application". Eventually we will get the firewall deployed, but only after wasting a lot of precious time.

Sorry, we are understaffed as it is. We don't need this kind of help.