The firewall is still relevant but needs a complete overhaul for it to work efficiently.
Commenting on the issue raised by the SC Studio debate on the future of the firewall, Lee Klarich, vice president of product management at Palo Alto Networks, stated that the firewall is definitely not dead, but traditional firewalls are so far behind the application and threat developers that it sometimes feels like it.
Klarich claimed that the ‘discussion on securing ports and whether this was useful was interesting' and that blocking ports is nearly meaningless as a security measure.
Klarich said: “The problem is really pretty simple. Traditional firewalls like those from Check Point and others look at ports and protocols to identify and control traffic. For example, TCP port 80 is assumed to be ‘web browsing' and TCP port 443 is assumed to be ‘HTTPS'. Do you allow or block ports 80 and 443, or any other port for that matter?
“Well, you have to allow 80, 443, and many others because a lot of legitimate traffic also uses those same ports. Unfortunately, nearly every application available (from the most trusted business app to the least trusted peer-to-peer app) will gain connectivity by dynamically finding open ports, using common ports, or using SSL encryption, which means traditional firewalls are pretty limited in what they can do.”
He also claimed that the problem goes much further than just seeing and controlling applications, as attacks have shifted from denial-of-service to much more malicious and pervasive attacks for profit – stealing sensitive information from users and servers or infecting hosts to perform other tasks of their choosing.
“These attacks leverage these same applications that traditional firewalls don't see. They use peer-to-peer networks, encryption, browser vulnerabilities, hidden iFrames, etc. to quietly gain access to information and then sell it for profit,” said Klarich.
He claimed that from the perspective of Palo Alto Networks, the firewall is very relevant and it is the right place to solve this problem, but it requires a complete rework to be effective.