Enterprise firewalls are a thing of the past

Do you have an enterprise firewall? Here’s a rule set for you to try:

  • Source: ANY

  • Destination: ANY

  • Protocol: ANY

  • Action: ALLOW

Yes, I’m asking you to allow everything across the firewall. Horrors!

But wait a minute. Most modern networks, large or small, do not use public IP address space, so John Citizen cannot connect directly to the systems on the network at will. Outbound connections a significant threat? I don’t think so. There are so many ways for users (and malware) to send information out using already available connectivity devices and infrastructure – trying to keep it under tight control will cost a lot and won’t stop determined malicious insider (or clever trojan).

If there is any tangible risk resulting from applying the abovementioned firewall rule set, then you have a big problem – insecure infrastrucutre. And you don’t solve it with a device that may be located on another continent.

So it’s time to stop paying for those stateful inspection applicances, as well as their support and maintenance. Time to openly oppose best practices and regulatory compliance requirements that often make organisations use multiple layers of enterprise firewalls. Get back to the basics securing your applications.

I was looking for the old thread on the Death of DMZ – found it on Susan Bradley’s blog (where else?). Time to bring it up again. And to acknowledge the reality – it’s not just DMZ that belongs to the past; it’s the brandmauer.

5 thoughts on “Enterprise firewalls are a thing of the past”

  1. Hi Slav,

    I’m not entirely sure I agree with this. Surely defense is /defense in depth/. That doesn’t mean rely on the firewall for total security. It also doesn’t mean go overboard in spending on firewalls. It does mean that having a firewall as an edge device can make it easy/easier to filter out a lot of noise, and allow you to concentrate on more serious issues without the possibilty of background rubbish interfering in your network.

  2. Which regulations do you see mention “firewall” specifically? I’m most used to HIPAA regulations, and I’ve yet to find that word in there – but I see plenty of “HIPAA compliant firewall” claims among vendors.

  3. Alun, there are standards that specify the use of firewall. One that comes to mind is Payment Card Industry (PCI) Data Security Standard (https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf), which says “Firewalls are a key protection mechanism for any computer network”. I admit that standards aren’t regulations per se – but regulators and auditors of the world do have expectations based on those.

    Ken, do you really need firewall with stateful inspection, logging etc to filter out Internet white noise? I don’t think so. And certainly you don’t need a separate hardware device to limit exposure of your Internet servers – just use Windows firewall, or Netfilter on the Internet inteface. Your existing router probably has some basic filtering feature, too.

  4. Hi Slav,

    Whilst it is not necessary to run a stateful packet inspection firewall, they do provide additional features that you will not find on a standard router (which, depending on the model, may not have much in the way of ACLs)

    Personally, the Windows Firewall is limited in its flexibility. A configuration error could also leave you locked out of the machine, requiring physical access to get back in. Additionally, filtering certain types of non-permitted traffic at the edge is easier that trying to permit that traffic to company hosts in the DMZ, whilst denying to external hosts, especially if using the Windows firewall.

  5. Ken, router ACLs are not needed: there should be nothing for them to protect. Servers are exposed to the Internet via either reverse NAT, or a load balancer, or a separate interface. Traffic that won’t hit legitimate service port, will be ignored. No need for either firewall or DMZ. “Extranet” scenarios that involve peers who are neither general Internet population nor internal folk, make it more complicated but workable still… I wonder how extranets will transform in the IPv6 enterprise (http://msmvps.com/blogs/sp/archive/2007/02/26/ipv6-eterprise-is-here-almost.aspx).

Leave a Reply

Your email address will not be published. Required fields are marked *