The message of the death of the firewall has been hanging over the infosecurity industry for the past three years, but could a network be run securely without one. Kevin Dowd, CEO of CNS Networks and Security, looks at a use case and looks at the challenges this has faced.
The recent Night Dragon attacks on energy companies demonstrate how an over-reliance on firewalls can leave companies vulnerable to data and intellectual property theft, should that firewall be breeched.
A total dependence on your border firewall means that as soon as an attacker gets past it, your network is entirely defenceless, even if you are following current industry best practices.
The McAfee report on Night Dragon also describes the ‘methods and tools used in these attacks [as] relatively unsophisticated', which is presumably how they have managed to evade detection by standard security software and network policies. Hackers think differently to businesses and seek the simplest route into a network.
We find that overly complex and technology-heavy systems present a greater risk of errors and a lower level of understanding. Our check team leader and senior penetration tester John Anderson, believes that if you keep a system simple you have a far greater level of control and a much higher likelihood of noticing something going wrong.
Of course, firewalls do have a part to play in security, but they are not a magic bullet. They offer a depth of security, but a firewall alone will not secure your network. Every system needs to be considered individually and a firewall is only one of the solutions possible. We've found that it's possible to create a secure, firewall-less network.
A commercial firewall is often just a packaged version of freely available open source software such as Linux or BSD, performing basic firewall functionality that exists in the operating system. So you can find yourself paying for a pretty (and proprietary) front end, plus some licensing restrictions.
Whether open source or closed, firewalls should not be used to protect badly designed, poorly configured and mis-managed networks; they simply won't solve these problems. A properly configured and locked down server can sit on the internet safely and there is an argument to say that it is just as safe without a firewall device as it is with one.
The use of firewalls can create a false sense of security. An organisation can become complacent; believing that by installing this device or that software, the problem is solved. It's not. The misconfiguration or the user behaviour that creates the vulnerability still exists.
In many cases a large number of unnecessary and insecure services are running on the network, but are only hidden by a firewall. All it takes is for an attacker to get behind the firewall, which can be done in numerous ways, and they will have easy pickings. Several high profile hacks have worked in this way, using social engineering attacks or exploiting vulnerabilities in client applications to get a foothold behind the firewall and then launching a full-scale assault on the systems there.
Automated worms are also a serious problem. Systems behind firewalls often remain unpatched for years or months following the outbreak of a worm, only to fall victim if such malware gets introduced behind the firewall accidentally. So, is it really possible to remove the firewall to create a better, equally secure system?
Anderson tested this theory. All of his devices run without a firewall between them and the internet, they are securely configured to offer only the needed services and only to known and trusted hosts. They have successfully been running for a number of years and have yet to be compromised.
The key to effective security (with) or without firewalls is therefore simplicity and standardisation. The moment systems become complex and start using proprietary protocols, it becomes much harder to manage them. Simple systems, using known and standardised protocols and processes are much easier to configure and therefore more secure.
If you are going to deploy servers, laptops, desktops or any networked equipment the following rules are the simplest way to stay secure:
- Work out the services you actually need
- Work out who will need to access those services and create restricted access
- Disable or remove everything else
- Review the network regularly
Of course, firewalls do provide benefits and we are not advocating they should be ignored in all cases. They should certainly be considered as part of your network security strategy, but each network is unique and it may well be that for many cases installing a firewall will increase cost, decrease network performance and increase management overhead.
A more effective approach is to assess the individual requirements and determine which technologies will best provide the required level of security and service in the most economical way.
We therefore believe that businesses should think about effective implementation of security controls to protect their networks and focus on proper internal security, from employee passwords to ensuring that each application and system is properly hardened. Done properly this could, with specific networks, mean that you could remove the need for a firewall completely.