The firewall -- has the "magic" box lost its mojo?
With all of the information security challenges we face today, we are all in search of the magic box that, when connected to our network, will forever keep us safe from hackers and data thieves. For a number of years, many people believed that a firewall was just such a box. Frankly, it deserved some of that reputation for a few years, until the owners assumed that the “magic” had their backs, and just forgot about them. Sadly, the hackers did not forgot about them.
For the uninitiated, a firewall is a device that controls the flow of data in and out of one or more networks. It blocks unauthorized traffic into a network from the Internet, controls traffic going back out, and, depending on the features, provides additional layers of protection.
Given the growing complexity of networks, and the growing sophistication of hackers, the firewall no longer quite lives up to its early promise. That being said, when managed rather than ignored, it remains a significant part of the security arsenal.
In my experience working with small/medium organizations in recent years, I have found that their firewall situation usually fits into one of the following categories:
Having heard that firewalls no longer live up to the hype, they don't have one, and don't think they are worth the trouble
They think their Internet provider's equipment takes care of them, so they don't worry
They have a cheap firewall, which they purchased at their local office supply store
They have a good, expensive firewall, which they installed previously, and have never touched again
Let’s consider each one of those categories individually:
Once the news spread about hackers being able to penetrate firewalls, many stopped believing in the magic, and did not bother to have one. Consider the recent news regarding the Bank of Bangladesh and their loss of over $100 million to hackers. Reuters reported that the systems responsible for money transfer that were compromised had no firewall and cheap, used routers. At the most basic level, a firewall prevents any traffic from coming into a network that is not explicitly authorized. In their case, even a cheap firewall that was not properly managed might (and I say might because of the complexity of this attack) have kept them out of the news. So, if you fall in the no firewall camp, I suggest you fix that, today.
Trusting Internet Provider
This is a slight step up from having no firewall at all, but not much of one. Internet providers often supply a router as part of their service, and this device may have some firewall capabilities built in. That being said, researchers often find vulnerabilities in these products, which the provider is slow to fix, given that they usually have custom firmware installed. It might be many months after a vulnerability is found before the provider has a new firmware version available. In the information security world, a few months is an eternity! Beyond that, I just have trouble trusting a device provided by a vendor that has trouble keeping my service working in the first place.
As I said, a cheap firewall might have saved the Bank of Bangladesh, but it is far from ideal. At the risk of over generalizing, a cheap firewall will give you cheap protection. While I don't mean to offend my office supply store friends, they tend to stock inexpensive, high turnover items about which they don't have to answer a bunch of questions. The inexpensive, high turnover firewalls tend to be discontinued quickly by the manufacturer in favor of newer, flashier models. A firewall with no support or firmware updates is not much better than none at all. Further, they often lack important features, like intrusion prevention, which can spot signs of attempted network compromise, and block them. I am a fan if intrusion prevention systems, because they can block some aspects of ransomware and other vulnerabilities your anti-virus software will miss.
Case in point -- I was called recently to help a medical office with PCI compliance. They had a firewall purchased from Office Junction (name changed to protect the innocent). The firewall had a bug which would cause their PCI network scan to fail. The well-known vendor in question NEVER released a firmware update after the original, so there was no way to get it working properly.
Network exploits change frequently and grow in complexity, well beyond what the designers knew about when they created their firewall product. Also, firewalls themselves are occasionally found to have vulnerabilities. Firmware updates address these issues. If you have a good firewall, the vendor is likely releasing new software to address new issues. To have the best possible protection for your network, it is critical that you keep your firewall up-to-date. Also, one of the best ways to know if someone is attacking your network is to look at the firewall logs. They are a great resource, which you are missing if you treat your firewall like a set and forget appliance.
If you don’t have a firewall, get one, today
If you have a cheap firewall, get a good one. My personal preference is Dell Sonicwall, but there are many other good products available from Barracuda, Cisco, Fortinet, etc
If your firewall have become a set and forget appliance, give it some love, even if you need to pay a vendor for a few hours a month to handle it. Check its firmware frequently, review the logs, and understand the rules that are setup.
The $100 million you save may be yours!