Why Firewalls Aren't Enough
11th March 2001
Recently, I was viewing a TV program on Computing. Interestingly, this program had a brief section on Digital Security. The person that was interviewed was some supposed "security guru" -- whatever that means. The interviewer had some very specific questions - "How do we tackle the spread of mobile viruses?", "How do we tackle DDoS attacks?". The "security guru" seemingly had only one answer - "Firewalls, ofcourse", "Firewalls, man!".
That guy obviously doesn't know what he is talking about.
Firewall is not a panacea to every security problem -- like otherwise mentioned. Before I go on to explain why, I'll talk briefly about Firewalls.
In large corporate networks, there are central "choke" points in a network though which network traffic leaves or enters the organization's internal network. Obviously, such a design is meaningful. Suppose the organization does not want network traffic from system "hacker.com" to enter their network, they could do it in one single point. Firewalls are devices that provide this capability. They can either be implemented totally in hardware or as software.
Typically, firewalls operate using certain "rules". The rules can be something like: allow "all" traffic from "microsoft.com", deny "all" traffic from "hacker.com". Rules can also be selective like: allow "tcp" connections to port "80"; allow "udp" connections to port "53". When network traffic from an internal workstation leaves to a remote host, it gets "compared" against the rules in the firewall. Actions happen if there is a match and... well, you get the general idea. There are a set of "typical" rules that ship with each firewall device.
Ofcourse, Firewalls are a great idea. It would not have been embraced by the Security Community otherwise. They help you connect your internal network to the internet and yet control the traffic from one central place. They're flexible. You can dynamically add/remove/configure rule sets.
However, Firewalls - both hardware and software - alone are insufficient to provide any "real" security. Let me explain how.
Firstly, Firewalls - like every other piece of software - are complex. Like every other piece of software, they are also buggy. There are bugs in design, implementation and deployment. The designer makes some assumptions. The implementation guy make some assumptions. The guy who deploys the system makes assumptions. Sum total effect is a system that works exceedingly well -- if things fall within those assumptions. 90% of the time they do. But we're concerned only about the other 10%. There is undeniable proof that even the best of firewalls can be broken into.
Secondly, there is the human error factor. After all, firewalls are operated by humans. Rules are written, configured and changed by humans. Case studies show that hackers manage to break past firewalls mainly because of poor configuration of these devices. In fact, there is talk in the underworld that 85% of firewalls' ACLs are fixed!
Thirdly, hackers are getting wiser and more importantly so are their tools. Tools like FireWalk, Fragrouter manage to entirely map out a firewalls' ACL. The best part of these tools are they're so automated that even script-kiddies could use them. So, out goes your theory that to break firewalls you need immense skill. Nothing could be more amusing than this statement.
Fourthly, most firewalls can operate in two modes: fail/open and fail/close. Both are disastrous. Consider the first one, fail/open: If a firewall fails, all traffic is allowed. Go figure! Consider the second one, fail/close: If a firewall fails, nothing ever leaves your network. You have a potential DoS scenario here. Eitherways, you're owned.
Finally, what do we do about virulent Mobile code and DDoS kind of attacks? What about that .vbs attachment that floats along with your email -- about which your firewall is blissfully ignorant of. What about that huge amount of traffic that is generated towards your core-router? We need a second line of defense.
To my understanding, Firewalls are good -- only to provide that vital first-line of defense. You always need that second or third layer of defense to mitigate other attacks.
Dont' be mislead into a false sense of security by having a Firewall. You have a firewall. That is good. But then, so what?
-- FoxThree
References:
[3] Packetstorm archives for Fragrouter
[5] Firewall Vendors
CheckPoint Software - Firewall-1
Network Associates - Gauntlet
[6] Personal Firewalls
Network Ice - Black Ice Defender
Tiny Software - Tiny Firewall