• United States




Why you don’t need a firewall

May 15, 20125 mins
Data and Information SecurityFirewallsSecurity

Once, firewalls were useful for certain types of attacks. Now they're more trouble than they're worth -- and create a false sense of security into the bargain

Firewalls need to go away. I’m just saying what we all already know. Firewalls have always been problematic, and today there is almost no reason to have one.

Computer firewalls have been with us since the 1980s. Even early on it was pretty clear that they didn’t really work; if they did, we would have defeated malicious hackers and malware a long time ago. But at least back in the day there was a decent reason to need them.

A vestigial defense For nearly three decades, remote buffer overflows were the most dreaded tool in the hacker’s arsenal. Simply find an open listening port running a vulnerable service, pile in executable code, and — voila! — your buffer overflow exploit gained you complete system access.

That’s hardly ever true anymore. The number of truly remote buffer overflows — the ones you can point at a listening service and pull the trigger, such as SQL Slammer or MS-Blaster — are dwindling and nearly gone. Ask Microsoft: Since the release of Microsoft Windows Server 2003 in April of that year, Microsoft Windows has had only a handful of truly remote buffer overflows. This is out of literally thousands of different versions of Microsoft services over nine years. (Note: Most of today’s so-called remote buffer overflows require local human interaction to be successful, which does not qualify it as a remote exploit in my book.)

It’s simply harder to pull of any buffer overflow today, much less a remote buffer overflow. Microsoft and other vendors have significantly improved the quality of the code and provided excellent proactive memory protections, including DEP (data execution prevention), ASLR (address space layout randomization), canary stack values, and chip-level NX/XD hardware protections. Even if you pull off a buffer overflow against a service, fewer of them are running as local system or root.

Worse than a boat anchor Firewalls tend to be horribly managed. Almost no one reads the logs or responds to the events recorded. Who can blame us? The average firewall produces thousands of warning messages every hour. Who can find the valuable, actionable information in all that noise? Not me — nor any firewall administrator I’ve ever met.

Worse, when I review firewalls, almost all of them seem to have horrible rule sets. I find so many firewalls with “ANY ANY” rules that defang the protection, it doesn’t faze me anymore. Again, I’m not sure I can always blame the poor, misguided souls that have created those rules. Firewalls seem to interrupt many legitimate operations, and I know the frustration that led to those rules.

I’ve been there: “Just open the firewall up and let’s see if that’s causing the problem. Oh, that worked. OK, we’ll get that app running, then come back and fix the firewall later.” I’d be lying if I said this didn’t happen once or twice in my career when I was a network administrator. These days, I have a hard time doing security reviews, patching, or other legitimate network management due to firewall problems.

Plus, in over 20 years, I’ve never reviewed a hardware firewall that had up-to-date firmware. They all contained public vulnerabilities that would allow attackers to get in only if they tried. It’s ironic. The device that’s supposed to protect the castle is a bridge across the moat.

Familiar routes One of the biggest reasons why firewalls don’t matter is how every app and service being developed today works over either port 80 or 443, two ports you can’t and never could block. The bad guys know this, and many years ago, they coded their hacking tools and malware to work over those same ports. If you find a malicious program that doesn’t work over those two ports, I’ll show you an old program or one that doesn’t survive long in the wild.

The smart hacker money has been sailing through the guaranteed open firewall ports for many years. Today, 99 percent of all successful attacks are client-side attacks, in which the end-user runs something he or she shouldn’t — and in those cases, the firewall doesn’t help at all.

But the real test of whether or not firewalls have any value is whether or not PCs with firewalls get hacked less than PCs with firewalls. This used to be true — but it hasn’t been true for a long time.

Firewall farewell Still don’t believe firewalls are going away? In truth, that process is already happening.

We all know that most future computing devices will not be traditional desktop or laptop computers. Do you think that our pad devices, smartphones, mobile devices, and computer-enabled TVs are going to have firewalls — or that their users that will understand firewalls well enough to configure them, especially when the firewall admin experts of our current networks can’t do it? Please! In the future, which is now, firewalls are already dead.

True, in a perfect world, firewalls would have real value. The recent Remote Desktop Protocol exploit is a case in point: Microsoft recommended that affected clients block RDP port 3389 at perimeter firewalls as one of their protective work-arounds. But everyone I know, instead, installed the emergency patch. They didn’t reconfigure the firewalls blocking port 3389. They did something else. This has been the case for every similar sort of exploit over the last decade.

Heck, even when we block attacks at the firewall, the defense doesn’t work. One of the most destructive worms in the past decade was MS-Blaster. Initially, everyone relaxed because the port that MS-Blaster attack was blocked by nearly every perimeter firewall by default. A day later, every network in existence was infected by MS-Blaster. It turns out that perimeter firewalls have less value when you’re riddled with infected mobile devices, VPNs, and other permeable holes laying open the false security that has always been granted by firewalls.

The cost of having a firewall simply outweighs the benefits. Me? I’ve known for a long time that firewalls were dead. It’s just a matter of time until they disappear.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author