The firestorm over firewalls

Two days ago I declared that it was time to deep-six the firewall; the rebuttals were fast and furious. Here's my response

I love offering opinions that generate comment after comment about how dumb I am, as my post "Why you don't need a firewall" has achieved. Little do these detractors know that my family and classmates said much meaner things as I was growing up, so it's like water sliding off a duck's back. I appreciate most of the comments -- because many were valid.

Some commenters, for example, guessed that I might have been exaggerating the tone of the article for effect. Mea culpa!

[ Also on InfoWorld: Find out what set off the sparks in "Why you don't need a firewall." | The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. | Keep up with key security issues with the Security Central newsletter. ]

But I stand by my main point, which is that firewalls have significantly less value today than they did years ago. Many readers focused on one point: that misconfigured and mismanaged firewalls are worse than useless. That's true. But my main argument, that most of today's successful threats don't care about firewalls, is much more relevant. Firewalls are victims of their own success: They forced attackers to move up the stack and pick outgoing ports that are always open (ports 80 and 443).

Bones of contention
Some readers pointed out that firewalls are great at auditing, blocking denial-of-service attacks, and configuring quality of service. True, but routers and proxies are even better for those tasks. In an optimally configured environment, you let the dumbest (and fastest) device do most of the work.

Another contention was that firewalls are great at blocking ports of vulnerable listening services. This is true, but there aren't many vulnerable remote services anymore; even when they are vulnerable, vendors offer patches faster than companies can approve new firewall rules. Let me ask you: When the RDP exploit was out last month, did you apply the patch or block the firewall port? I bet the former rather than the latter.

Many readers told me that firewalls are good at deep packet inspection. Sure, but a properly designed service doesn't need deep packet inspection to protect it. Deep packet inspection is computationally very expensive. It slows down the network and generates a ton of false positives. Almost none of my clients with devices capable of deep packet inspection use it. You'd be better off with a service that isn't prey to the type of threats prevented by deep packet inspection; a well-designed service is faster, better, and stronger.

Show me a scenario where you think a firewall excels, and there's a good chance you're using it in place of a device or solution that would do the job better or more securely.

The security industry versus me
The president and CTO of Firemon, Jody Brazil, had one of the better retorts to my column. Here's the first part:

Today Roger Grimes posted an article on InfoWorld about the overdue death of the firewall: "Why you don't need a firewall." His case rests on two primary arguments: 1. The firewall doesn't protect against modern-day threats, specifically client-side vulnerabilities and the fact that all apps run over port 80 and 443 that can never be blocked in the firewall and 2. The firewall is managed so poorly that it causes more problems than it solves.

I'll agree that these are my main two points, but I'm far more vested in the former than the latter.

Let's separate these two points to more logically discuss each, starting with the value of a firewall in today's threat environment. I take significant issue with his statement that, "Today, 99 percent of all successful attacks are client-side attacks." This is not substantiated by any research for good reason; it isn't true.

Ah, but it is true. Get rid of the browser on a computer and nearly all risk goes away. Most successful exploits happen because of client-side malware -- even attacks that eventually reach the server and/or compromise data. Just ask McAfee, Symantec, Microsoft, or any of the other major companies that monitor and sell computer security protection. If we could stop people from clicking on things they shouldn't, the world of computer security would be far easier.

Successful client-side attacks number in the tens, if not hundreds of millions, per year. Go find your biggest hack that didn't require the end-user to be involved and respond back to me in public. If you search long enough, you'll find a few that hit maybe a thousand computers in their lifetime.

The Verizon Data Breach Investigations Report actually discusses successful attacks in significant depth and completely invalidates this point. It reports that 81 percent of all attacks and 99 percent of lost data is a direct result of "hacking."

1 2 Page 1
Page 1 of 2
Microsoft's very bad year for security: A timeline