The firestorm over firewalls

Two days ago I declared that it was time to deep-six the firewall; the rebuttals were fast and furious. Here's my response

Page 2 of 2

I'm a big fan of the Verizon Data Breach Investigations Report. However, it focuses on large data breaches that Verizon and its partners have investigated. It doesn't cover the residential world, which is far larger than the corporate world. It doesn't cover the small businesses that either didn't suffer huge data losses or didn't call Verizon or one of its partners. For the most part, Verizon only gets a call when the company involved has been hacked by humans. That would have a tendency to skew the data, don't you think?

If you want a better count of client-side attacks versus hacking, ask the big antivirus vendors, who cover clients of every size, big and small, commercial and residential, regardless of the attack vector. They report on the tens of millions of socially engineered Trojans caught each month across hundreds of thousands of companies. The Verizon report covers 855 incidents for the year. Who has a better measure of what is impacting a broad cross-section of customers the most?

Even Verizon's report backs me up. Yes, hackers and hacking are involved in stealing data. But the successful compromise that got the hackers into the business in the first place was usually a client-side attack. The human hacking came later.

Don't believe me? Check out Figure 2 (page 8) in the 2012 Verizon Data Breach Investigations Report report. It shows how companies got exploited -- and how that yielded the hacking statistics you base your claims on. Exhibit No. 1 is a client-side attack. Further, without the client-side attack mentioned at the outset, the human attacker wouldn't have been successful. As far as I can tell, I don't see how a firewall would have helped in the scenario Verizon is reporting as how companies got hacked.

It goes on to specify that access to remote services (e.g. VNC, RCP) "combined with default, weak or stolen credentials" account for 88 percent of all breaches. The assumption that 99 percent of attacks are client-side is dead wrong.

The exact quote is, "Remote access services (e.g., VNC, RDP) continue their rise in prevalence, accounting for 88 percent of all breaches leveraging hacking techniques." This is from page 32 of the 2012 report.

The report is saying that of "breaches leveraging hacking techniques," 88 percent use remote control services. It's not the same as saying 88 percent of breaches used hacking techniques. I'll bet you that the VNC and RDP being abused was already installed and used by the victims -- at least, that's the case for every hacking victim I've ever investigated. The hackers are simply using the legitimate services already installed and used by the IT staff. Firewalls aren't going to stop that.

Modern firewalls do more
But my antagonist doesn't stop there. Brazil also brought up the fact that firewalls are getting better:

It would also seem that Roger is ignoring new advancements in firewall technology. Next-gen firewalls are specifically adept at helping prevent the client-side attack. No longer is port 80 and 443 an open highway of access through which everything can pass. User-based and application-based policies permit effective control of outbound access.

I've been hearing about firewall advancements and next-gen firewalls for 20 years. When are they going to be advanced enough to stop most hacking? It's like waiting for antimalware scanners to stop computer malware. It hasn't happened, and it never will.

In the Verizon report, the experts tell large organizations what to do to prevent attacks like the ones mentioned in the publication. That advice does not include "install and use a firewall" or even "install an advanced firewall." Why? Because most of these hacked companies already use good firewalls -- many firewalls, I'm sure. In fact, nearly everyone is already using firewalls -- including advanced, superduper firewalls -- and they still get hacked.

If your next-gen firewall can stop all the hacking you claim it can, why not put that in writing as a guarantee? Not just a money-back warranty, but as a promise to pay for all the costs of the cleanup associated with the attack.

I want to thank Firemon's CTO and president for engaging in this debate. I don't mean to belittle anyone's point of view, and I respect Firemon and its products. But it doesn't change my opinion.

Think about it: If firewalls really did stop as much hacking as they claimed, things wouldn't be nearly as bad as they are today.

This story, "The firestorm over firewalls," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

| 1 2 Page 2
Cybersecurity market research: Top 15 statistics for 2017