Page 12 - Cyber Warnings
P. 12
Are Firewalls Still Relevant to Security?
“The firewall is dead”, “Data is the new perimeter”, “Cloud will make the firewall obsolete” – these
are just some of the quotes you hear every now and again in the information security community.
But I would like to counter them with a quote from (renowned cybersecurity expert) Mark Twain –
“The reports of my death have been greatly exaggerated”.
Admittedly, firewalls have been around for 20 years, which is an eon in the world of technology.
Any security pro will also rightly tell you that firewalls do not provide sufficient defense in today’s
threat landscape. But I argue that firewalls are more relevant to security than ever. Here’s why.
#1 The Basics Matter
Despite the APT media hype, most of the successful attacks exploit known vulnerabilities.
Advanced network security technologies such as sandboxing and IPS are important elements of a
defense in depth strategy, but limiting the attack aperture, which is a firewall’s core function, still
contributes greatly to your security posture.
I like comparing the firewall to the basic lock on your door. You may decide, based on the threat
landscape and the value of the assets in your house, that your front door lock is not enough to stop
attackers, and therefore choose to install an alarm system and a safe. But does this mean that you
leave your front door open and not lock it when you leave the house? I would hope not.
It’s also worthy to take into account that in some cases, such as your shed (or in the business
world, a remote branch with no crown jewels) a simple lock may still suffice.
#2 Segmentation is Key
Determined attackers have a good chance of breaking your defenses and gaining access to your
network, which is why network segmentation is so important in limiting the lateral movement of
attackers once they are in. The firewall is the ideal device for network segmentation (and for those
of you segmenting using VLANS, may the gods of good fortune be with you). In fact, with modern
firewalls including so many additional capabilities beyond just.. well …firewalling, some people like
our good friends at Forrester Research have opted to call them “Network Segmentation Gateways”.
Segmentation has become so strategic that the buzz word du jour is micro-segmentation. At its
extreme, it involves a (virtual) firewall on every server in the data center which segments it from all
other servers. This really means adding more firewalls (the same ones that are not relevant
anymore, remember?) that need to be managed. Which is why I feel the success of these initiatives
relies heavily on the ability to automate security policy management, and it will be interesting to
monitor how micro-segmentation will play out over time.
12 Cyber Warnings E-Magazine – January 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
