Someone Else

Why Firewalls Suck

Of course they don't really suck, but I needed a snappy tagline to make you read this article. But what does suck is people who assign strange magical powers to firewalls, with the result that you end up less secure with one than you were without. 

Ok, quick quiz.

I don't know how many of you think that's the case now but at the time a lot of people certainly believed it.

The belief a firewall could have stopped code red is an example of someone not understanding what a firewall can and cannot do. Other common problems are with misconfigured firewalls, which happens all too often where people don't understand how they work, or are being pressured to fix something in a hurry. This is still the problem with firewalls, years after they were first introduced, years after i wrote my first draft of this article, people are still unsure about what a firewall can and cannot reasonably be expected to do, and they're still allowing people who don't know what they're doing to set them up. This is why firewalls suck; not because they do a bad job, but because many of the people using them don't understand what the firewall can do for them, and what they still have to do for themselves.

So what can a firewall do?

Firewalls are generally used as gateways to a network, and as gateways they can inspect incoming and outgoing traffic and either block its passage or allow it to pass depending on certain rules. These rules are usually pretty simple, but can be built up to do some complex things by using combinations of different rules.

So a firewall sitting in front of a Windows based network will probably be set to block all traffic on Windows -specific OS ports in order to stop people examining your network shares (this is the most important function a home firewall performs). It essentially blocks all traffic on a certain port from entering your network. On a Unix network it will probably be configured to be pretty hot on blocking up the RPC ports, and so on.

The firewall hopefully also looks at e-mail traffic and blocks all of that except traffic that is to or from your authorised e-mail server, and probably has very similar rules for web server traffic, FTP traffic, etc. It might do some preliminary checking for those services where it can sensibly do so, e.g. it might do a reverse DNS lookup of incoming mail and discard any that fails that test. Many firewalls these days perform this kind of traffic analysis, the days when you could stick a simple NAT box in front of a network and pretend it's a real firewall seem to be gone. Thank goodness.

Of course all this assumes that the firewall always works correctly - e.g. never has a breakdown or security issue of its own; and also that the people who set it up know what they are doing and never ever make a mistake, which isn't realistic no matter how good you are. Firewalls are like every other bit of computing kit and will do exactly what you tell them to do. The important word is 'exactly'. A firewall doesn't know the difference between what you tell it to do and what you meant to tell it to do.

The reason I'm labouring this point is because human error is one of the biggest reasons firewalls don't work the way they are expected to. This point means that you need to hire good people and train them properly to get the best out of a firewall - training doesn't have to mean an all expenses paid trip to a 4 week course held in a five star hotel in Aruba, maybe just getting some good manuals and giving your staff the time to read them will be enough. If you can't afford the firewall plus the training to use it, then you can't afford the firewall at all. Simple. If more people realised this was the case when it came to any service facing the Internet, I am certain that the number of security incidents would drop dramatically.

What a firewall can't do.

So now we know what a firewall can do, lets take a look at what it can't do.

Firewalls can't protect against attacks that don't go through the firewall. Sounds simple, so why do we keep hearing about security being breached by avoiding the corporate firewall in some company? Surely people must understand this by now?

Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. As well they ought to be, but too many think this is their only threat vector. We call these companies 'victims'.

Unfortunately for those concerned, an Ipod or USB memory stick, a rewritable CD or even a pen and paper can all be used to steal data or bring malware onto your network (ok maybe not the pen and paper here!). Far too many people think in terms of "I've got to buy this, some of these, and maybe this and then I'm secure". That approach might work in the short term but will get found out sooner or later.

You don't buy "security" like buying groceries. You need to understand the business, how it works, what are the threats to the business and how security is about people not gadgets. Don't think of tools such as firewalls in terms of "What can I block", instead think "What is the core of this company? How could it be stolen or copied or otherwise attacked, and how can I protect it?"

Surprisingly enough, lots of companies that are terrified of Internet connections have no coherent policy about people taking data away on laptops. Just ask MI5, or Ernst & Young, or Fidelity Investments if having even a single laptop go missing is any kind of problem.

It's silly to build a 6-foot thick steel door when you live in a straw hut, but we do it in IT all the time. Even as you're reading this people are out there right now buying expensive firewalls and neglecting the numerous other back-doors into their network. For a any security gadget or tool to work, it must be a part of a consistent overall security system. Your firewall isn't your security policy, it's simply the method by which you enforce that policy on traffic travelling via the route you place the firewall upon..

Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with very sensitive systems shouldn't rely on a firewall to protect that information, they shouldn't be hooking these systems to the Internet (or even their normal LAN) in the first place. Separation of systems is a well known security concept and it galls me to see companies that should know better get caught out like that.

The firewall configuration must reflect your user community's legitimate needs. If your firewall makes it impossible for people to do their jobs then either you'll get fired, your company will go bankrupt, or your users will have to try and work out how to sneak past your firewall, and as a by-product of simply having to do their jobs they will be exposing your network to risks. I'm going to take a wild guess that none of the possible outcomes above are what you were aiming for when you installed a firewall.

Another thing a firewall can't really protect you against is physical intrusion or social engineering. Can someone walk into your office and walk out again with a laptop simply by looking as if they belong there? Users who reveal sensitive information over the telephone are good targets for social engineering: an attacker may be able to break into your network by completely bypassing your firewall if he can find a "helpful" employee inside who can be fooled into giving access to the system.

Firewalls use rules as I've already said. These rules are simple cook-book type filters that the user sets up and configures. The firewall analyses traffic and either passes or blocks traffic depending on what the rules say.

The first problem should therefore be obvious: If you don't setup a rule to deal with an explicit situation then what happens when it occurs? Of course any sensible person would configure their firewall so that it blocked everything except the one or two things they wanted to allow - in fact with most firewalls I've seen this is the default behaviour and you have to work hard at screwing it up. But none the less plenty of people screw it up. Don't ask me how but they do.

Secondly, a firewall can't know about human factors. If it sees a request to upload files to your FTP server it can't be expected to know that the person who owns the account being used for the upload is actually in Aruba on a 4 week course, without access to the Internet, but they dropped their wallet in the airport departure lounge and it had a note inside with your webserver FTP username and password. It also can't know that what is being uploaded is actually the makings of a porn website instead of your usual corporate image.

It also can't examine content of requests it forwards for intent - at least not reliably and efficiently. It might block the ports needed to protect your webserver against someone trying to telnet into it but when it comes to "proper" web traffic it doesn't know the difference between the legitimate GET sequence for loading your index page and the GET sequence that this week's brand new Internet worm du jour uses to scan for vulnerable webservers. To the firewall this looks like legitimate traffic - it was told to allow HTTP traffic to be directed to the webserver, and it can see legitimate HTTP traffic so it forwards it. It has no reliable way of knowing the intent of that traffic.

Too often people talk about firewalls as a magic bullet. They want to put a firewall in front of their insecure network and hope it makes the problems all go away. Now obviously, a firewall is a useful piece of equipment and I would say that everyone with a permanent Internet connection should consider one, whether it's the home user with a cable or ADSL connection, or the major business with 300 servers connected to the Internet.

But we need to be clear about what they can and cannot do. They are a valuable protective layer between your network and the outside world when used properly, but they are no substitute for a proper security plan with all the parts of your network setup to be as secure as possible.

To go back to code red and Nimda, which is where I started, those people who just used a firewall and thought they were secure instead of bothering to secure their systems properly found themselves victims of these worms because a firewall does not protect against that kind of attack. What would have protected them would have been a comprehensive patching program that was implemented as part of an overall security policy including the firewall.

A network is only as secure as its weakest point, and that's not the firewall, it's the fool who thinks that a firewall is all he needs.

[yes this is a rewrite / update of an article from the old site]