What’s Wrong with Firewalls?

Apr 02 2008

By Jim Reavis

I am just posting some quick thoughts on our first two Firewall 2.0 Focus Groups, I will have more to say later:

Everyone agrees that the firewall as currently constituted is providing minimal value. Everyone has built a ton of “helpers” around it that are doing most of the security work.
By and large, there is no visibility into what is leaving the network tunnelled in Port 80. We need reporting that explains what applications are really being used, and by whom.
Once an internal PC is “owned”, that outbound Port 80 is possibly an “outside-in” attack, so it isn’t just DLP we are worried about.
We need to move from Port/IP Address rules to True Application/User (authenticated/identified/located) rules. Eons ago Ports were supposed to represent applications, but that train left the station a long time ago.
Virtualization. We are building the new mainframe, and applications will be communicating through the virtual backplane, so whatever firewall enhancements we make need to secure the backplane, because we can’t force communications out of the virtual mainframe to be managed by network security devices.

There are several other recommendations I will document later. A few well meaning people have made some postings that this focus group idea isn’t worthwhile and we need to focus on OWASP and securing applications. Guys, I get the importance of that, I did a ton of work for SPI Dynamics for 5 years. However, it isn’t an either/or proposition. Securing apps is crucial, but what about the SSL session from accounting to Bulgaria? Don’t we at least want to try to understand how badly we are owned? It is about layered defenses and I think giving our network ingress/egress points 20/20 vision is worth at least attempting. No, it’s not just a network problem, but it is a big part of the problem.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.