Note: I had written this before RSA but did not have a chance to post. So a bit late, but still relevant:
Ellen Messmer over at Network World had a good article about 13 Security Myths that maybe you shouldn’t believe. While each of the baker’s dozen that Ellen writes about are good. I wanted to highlight Security Myth #12:
Security Myth No. 12: "Sure, we have a firewall on our network; of course we're protected!"
Kevin Butler, information technology security analyst at the University of Arkansas for Medical Sciences, who says he has spent a decade as a firewall administrator, says there are plenty of myths about firewalls. Acknowledging he might have believed a few of them over the years, Butler says the ones that stand out for him are that "firewalls are always a piece of hardware" and "a properly configured firewall will protect you from all threats." About this second one he notes: "Nothing quite says hello like malicious content encapsulated over an SSL connection infecting your workstations." Other firewall myths he knows of include "with a firewall, there's no need for antivirus software" and one that really gets his ire, "Brand 'X' firewall protects against even zero-day threats." About this, he says, "New exploits against firewall protections are identified faster than they are mitigated. A firewall shall never be a 'fire and forget' solution for perimeter protection, EVER!"
I think Kevin is right on. There are no magic bullets in security and firewalls are certainly not the be all and end all. I especially love the zero-day threat myth. If only I had a dollar for every security product that was capable of stopping zero day attacks. I would be a rich man by now. But it is the last line of the paragraph that I really want to focus on today.
“A firewall shall never be a 'fire and forget' solution for perimeter protection, EVER!"
Amen to that Mr. Butler! How many of us have asked IT admins or even security folks when was the last time your firewall rule set was updated and received back a blank look or a mumble of “when we set it up a few years ago”. It is amazing that today, so many years later there are still so many networks where a firewall was installed, configured and left alone. (Let alone so many networks that don’t even have a firewall!)
What is even more amazing is that so many of these same people will swear by their firewall protecting them. It makes you almost want to shake them by their shoulders and wake them up. If your firewall is operating under the same rule set and configuration as the day you installed it, you probably are already p0wned. And please don’t blame your firewall, blame yourself for not managing it. Like guns don’t kill people, people kill people. Firewalls that are not managed don’t cause breaches, poor firewall managers cause breaches.
Not to turn this into a pitch for my friends at Firemon (OK maybe just a little), I understand that many firewall management GUIs leave a lot to be desired. That is exactly why products like Firemon Security Manager exist though. There is just no good excuse for not actively managing your firewall.
While we are at it, let me get another pet peeve of mine off my chest. Just as bad as ignoring your firewall configuration, is not pruning your firewall rule set. Opposite of never adding rules or updating your firewall are the folks who add rules to their firewalls one after the other, multiple people adding rules without a process in place to do so. One person leaves, another person comes and rules get added on top of rules. Before you know it the electric spaghetti wires you have around your home entertainment systems are child’s play compared to the mess your firewall rule set is.
Just as two negatives make a positive, two rules trying to accomplish the same thing may negate each other and create a tunnel into your network that an 18 wheeler can drive through. If you don’t know why a particular rule is in place on your firewall it shouldn’t be there. Again, not to turn this into a Firemon commercial, but that is exactly the sort of thing their product takes care of. It examines your rule set and makes sure what you have is what you need. You can see what the consequences are of adding a rule to your firewall, it makes recommendations on what to add and what to take away. It makes you smart about managing your firewall.
Yes a firewall is not a panacea. By itself will not make you immune to successful attacks. But a well-managed firewall is still your best friend in keeping the bad guys out and your network running safely.
