I have always argued that using firewalls to protect computer networks is a mistake. The argument for firewalls is they are an extra layer of protection. My counter argument is firewalls end up being the only protection.
Computers started out insecure—the fact they worked at all was frankly a miracle, how much do you want? The idea that they would be the target of bad guys being malicious (because that is what bad guys are), wasn’t anticipated.
At some point when it became obvious this was a consideration we should have stepped back and said “Let’s actually build secure stuff!”. It would not have been perfect, but it would have been a start, we would have kept at it, and always remembered to include security as one of the design considerations.
Instead, everyone just slapped on firewall.
“That’ll work!”
And it mostly did, we mostly concluded designing in security wasn’t necessary, we are too busy moving fast.
Time passes, lots of time passes.
Nowadays most people in tech think “programming” is identical to “web programming”. (Are you a front end developer or back end developer?) And that all happens in rented computers that we call “the cloud”. A lot has changed.
And we are still depending on firewalls for security.
Some fancy stuff has been added, buzzwords such “virtual private cloud” are common—roughly a bunch of firewalls configured to control which rented virtual computers can talk to which other rented virtual computers.
And it doesn’t work. I turns out the amorphous and diaphanous word “cloud” is perfect for describing what we get when we have the ability to quickly and easily rent and configure new virtual computers.
The result is…vague. There are companies out there making a fine business just helping other companies figure out what computers and services they have rented, not to mention how they have set up everything.
And the result is a general mess, and a security nightmare. The firewalls are frequently set up wrong and in the wrong places.
Yesterday there was a big outage in Massachusetts of 911 emergency phone service, the explanation? “Firewall blamed for statewide 911 outage in Massachusetts” (https://whdh.com/news/investigation-continues-in-massachusetts-after-statewide-911-outage/).
As you can see, if you made it this far, I am a crank on this subject.
But guess what? A buzzphrase is finally trending, and catching up with me: “Zero Trust Architecture”. It even gets its own abbrev., ZTA.
It roughly means: Don’t assume some fancy firewall has assured that the data packets arriving on port something-really-important are trustworthy.
Firewalls date back to about 1994, so it took, what, nearly three decades for this idea to get some traction? Wow.
Conclusion
Design in security, make each computer secure enough that it can sit on the open internet with no protection. And then maybe look at some extra protection, maybe regarding denial-of-service attacks, but do not rely on firewalls for basic security.
-kb
©2024 Kent Borg
Leave a Reply