Firewalls, a history lesson
Recently, a rather high profile software company has been taken to task about its patching strategy.
One of the comments that was made by the customers of this company was basically: "We don't have to worry, all our servers are behind a firewall".
I've got to be honest and wonder why these people that their firewall somehow protects their systems? A firewall is the outside of what is known as "M&M Security" - Hard and Crunchy outside, Soft and Chewy inside. The basic problem with M&M security is that once a bad guy (or worm, or virus, or malware of any form) gets behind the crunchy outside, the game is over.
George Santayana once said "Those who cannot remember the past are condemned to repeat it.". And trusting in a firewall is an almost perfect example of this.
It turns out that there's a real-world example of a firewall that almost perfectly mirrors today's use of firewalls. It's actually quite uncanny in its accuracy.
Immediately after WW1, the French, seeing the potential for a threat from Germany, built a series of fortifications known as the "Maginot Line". These were state-of-the art fortifications designed to protect against most if not all the threats known at the time.
(Image stolen from wikipedia).
From all accounts, the Maginot Line was a huge success. Everywhere the German army engaged the French on the Maginot line, the line did an excellent job of protecting France. But it still failed. Why? Because instead of attacking the Maginot Line head-on, the Germans instead chose to cut through where the Maginot line was weak - the Saar gap (normally an impenetrable swamp, but which was unusually dry that year) and the Low Countries (Belgium and the Netherlands, which weren't considered threats), thus bypassing the protection.
The parallels of the Maginot line and Firewalls are truly eerie. For instance, take the paragraph above, and replace the words "Maginot Line" with "firewall", "French" with "the servers", "German Army" with "Hackers", Saar gap with unforeseen cracks and "Low Countries" with "employee's laptops" and see how it works:
From all accounts, the Firewall was a huge success. Everywhere the Hackers engaged the servers on the line, the firewall did an excellent job of protecting the servers. But it still failed. Why? Because instead of attacking the Firewall head-on, the hackers instead chose to cut through where the firewall was weak - they utilized previously unforeseen cracks (because the company hadn't realized that their WEP protected network was crackable) and the employee's laptops, where the firewall was weak (because the employee's laptops weren't considered threats), thus bypassing the protection.
You should never assume that some single external entity is going to protect your critical assets. If you've got a huge armored front door, I can guarantee that the thieves won't come through the armored front door. Instead, they're going to pick up a rock and throw it through the glass window immediately next to the door and go through it.
I'm not dinging firewalls. They are an important part of your defensive arsenal, and can provide a critical front line of defense. But they're not a substitute for defense in depth. And let's be honest: Not everyone configures their firewall correctly.
If you assume that your firewall protects you from threats, then you're going to be really upset when the bad guys come in through an unprotected venue and steal all your assets.
Thanks to Stephen Toulouse and Michael Howard for their feedback.
Comments
Anonymous
February 02, 2006
For further reading I recommend Bruce Schneier's blog at http://www.schneier.com/blog/ as well as his Cryptogram newsletter at http://www.schneier.com/crypto-gram.htmlSecurity is difficult to get right.Anonymous
February 02, 2006
I think the TSA and Dept of Homeland Security need to hire Larry as a consultant.Anonymous
February 02, 2006
The comment has been removedAnonymous
February 02, 2006
I think wikipedia has disabled hotlinking, but you are still seeing the image because it's in your cache. I got a red cross and had to go the url manually.Anonymous
February 02, 2006
Crud. I'll see what I can do about making the image work all the time.Anonymous
February 02, 2006
Or they could just blackmail an employee for their password.Anonymous
February 02, 2006
FWIW, I see the image.Anonymous
February 02, 2006
Ed Amoroso (Chief Security Officer for AT&T) talked about this very eloquently in a recent podcast for the IT Conversations - Frontline Security series:http://www.itconversations.com/shows/detail965.htmlExcerpt from the show notes:Amoroso recently has advocated a new approach to security. Observing that today's firewall approach to protecting the edge isn't working. Instead, we should implement security in the network. He predicts that within two years, managed DMZs and firewalls will disappear, because "the carrier can do that more effectively and efficiently." Carriers can detect perturbations in the cloud and filter them.Anonymous
February 02, 2006
The comment has been removedAnonymous
February 02, 2006
The comment has been removedAnonymous
February 02, 2006
The comment has been removedAnonymous
February 02, 2006
I realise the firewall is engaged first. But that's the wrong way to look at it. Firewalls, to be useful (else one would yank the network cable out), have holes in them. This means the system must protect itself without relying on the firewall as it may be open for good reason (running a web server or sharing files). Only when a system can go online without a firewall should it be considered for release. Then one puts the firewall on AFTER one is sure it is not needed.XP SP2 does a good job.I accidently (stuffing around with loopbacks and activesynch and UNC paths) spent a month online with no firewall. Nothing happened. This is what should happen (nothing). It keeps the lock pick away from the lock in some circumstances. But that is can't be relied upon as port 80 or 135 may need to be opened. Or the attacker comes in as a client as in browsing to a web site - that web site is allowed in through the wall.So I worry at this emphsis on firewalls and have certainly noticed that many people only configure the firewall.Firewalls are also code and can crash or have logic errors just like any other part of a computer.Anonymous
February 02, 2006
Larry,Awesome analysis. My gut knows this, but the analogy was so perfect. Thanks.Anonymous
February 03, 2006
"Fixed fortifications are monuments to man's stupidity." -- George S. Patton.Anonymous
February 03, 2006
This is offtopic, but since the upgrade none of the comments have newlines (at least when viewed in IE).
Maybe you support HTML syntax now?Anonymous
February 03, 2006
The comment has been removedAnonymous
February 03, 2006
An off-topic note regarding "Image stolen from wikipedia": you don't need to "steal" the image, it is freely licensed under cc-by-sa-2.5 (see http://commons.wikimedia.org/wiki/Image:Maginot_Line_ln-en.jpg), you should just mention the author and the license (although it would be preferred to host a copy elseware instead of hotlinking that puts strain on already overloaded Wikimedia servers ;-) ...).Anonymous
February 03, 2006
The comment has been removedAnonymous
February 04, 2006
Larry Osterman has an interesting post on blind faith in firewalls.
Security works best when it is...Anonymous
February 04, 2006
PingBack from http://peewitsol.wordpress.com/2006/02/04/mm-security-the-firewalls-false-sense-of-security/Anonymous
February 12, 2006
You are not always stealing because your image is under a free license, and if you are stealing, you are stealing not from wikipedia, but from the Wikimedia Commons. This page says what license the image is under.
http://commons.wikimedia.org/wiki/Image:Maginot_Line_ln-en.jpgAnonymous
March 01, 2006
The comment has been removedAnonymous
March 26, 2006
The comment has been removedAnonymous
May 29, 2009
PingBack from http://paidsurveyshub.info/story.php?title=larry-osterman-s-weblog-firewalls-a-history-lessonAnonymous
June 07, 2009
PingBack from http://besteyecreamsite.info/story.php?id=412Anonymous
June 08, 2009
PingBack from http://menopausereliefsite.info/story.php?id=306Anonymous
June 09, 2009
PingBack from http://cellulitecreamsite.info/story.php?id=2130
