“The firewall is dead”, “Data is the new perimeter”, “Cloud will make the firewall obsolete” – these are just some of the quotes you hear every now and again in the information security community. But I would like to counter them with a quote from (renowned cyber-security expert) Mark Twain – “The reports of my death have been greatly exaggerated”.
Admittedly, firewalls have been around for 20 years, which is an eon in the world of technology. Any security pro will also rightly tell you that firewalls do not provide sufficient defence in today's threat landscape. But I argue that firewalls are more relevant to security than ever. Here's why.
#1 The Basics Matter
Despite the APT media hype, most of the successful attacks exploit known vulnerabilities. Advanced network security technologies such as sandboxing and IPS are important elements of a defence in depth strategy, but limiting the attack aperture, which is a firewall's core function, still contributes greatly to your security posture.
I like comparing the firewall to the basic lock on your door. You may decide, based on the threat landscape and the value of the assets in your house, that your front door lock is not enough to stop attackers, and therefore choose to install an alarm system and a safe. But does this mean that you leave your front door open and not lock it when you leave the house? I would hope not.
It's also worth taking into account that in some cases, such as your shed (or in the business world, a remote branch with no crown jewels) a simple lock may still suffice.
#2 Segmentation is Key
Determined attackers have a good chance of breaking your defences and gaining access to your network, which is why network segmentation is so important in limiting the lateral movement of attackers once they are in. The firewall is the ideal device for network segmentation (and for those of you segmenting using VLANS, may the gods of good fortune be with you). In fact, with modern firewalls including so many additional capabilities beyond just.. well …firewalling, some people like our good friends at Forrester Research have opted to call them “Network Segmentation Gateways”.
Segmentation has become so strategic that the buzzword du jour is micro-segmentation. At it's extreme, it involves a (virtual) firewall on every server in the data centre, which segments it from all other servers. This really means adding more firewalls (the same ones that are not relevant anymore, remember?) that need to be managed. Which is why I feel the success of these initiatives relies heavily on the ability to automate security policy management, and it will be interesting to monitor how micro-segmentation will play out over time.
#3 A firewall by any other name would filter just as many packets
The firewall has certainly evolved in the 20 odd years it has been around – but despite marketing departments' best attempts to coin new terms that will make it to next year's budget – the fact remains that the need for basic filtering of network traffic has not gone away.
“Next-Generation” firewalls include a slew of advanced features such as application and user awareness, intrusion-prevention, URL filtering and sandboxing, but the core “old-generation” firewalling functionality in case you wondered, is still there.
And what about the cloud? There are no firewalls in the cloud right? Amazon Web Services, by far the leading cloud provider, offers “security groups”. This is software-based functionality that enables you to set a policy on incoming and outgoing traffic from each AWS instance based on IPs, ports and protocols. Does this functionality remind you of something?
#4 The numbers don't lie
Depending on which analyst market research you go by, the firewall market is boasting a seven to 10 percent annual growth rate—Impressive growth for a multi-billion, 20-year-old market.
And I would like to leave you with one last number – as part of my role at AlgoSec, I am fortunate enough to discuss network security with hundreds of companies, including many of the Fortune 50. How many of these companies have plans to root out their firewalls since they are no longer relevant? You might have guessed it – a big fat zero.
Pretty impressive for a dead guy.
Contributed by Nimmy Reichenberg, VP marketing and strategy, AlgoSec