Firewalls are simply physical security components of an overall security architecture. Firewalls can be helpful. However, they do not solve, by themselves, all of a corporations security needs. Firewalls can do the basics: trap, analyze and then, allow or deny specific network communication activity. Great, but once an attacker understands what is allowed and what it not, then the next step is to attack through the open port (or communication signature) to the internal security zone behind it. The value of the firewall, by itself, becomes more questionable when companies set up separate firewalls for different tiers and different groups of people as the configuration and management of these environments become more and more challenging. Besides potentially strangling the communication network (architecting a self inflected DoS attack), this becomes more problematic when many firewalls are incorrectly configured for the specific situation. The greater the number of firewalls and communication paths, the greater statistical probability of incorrect configuration issues.
Exacerbating this issue, too many companies set up the hard candy shell, soft inner core model (where security inside the trusted network is non-existent). Since a good majority of malicious hacks happen within a corporation (especially within the telecom industry), the firewalls provide no assistance at all. Good Security begins with good security architecture models and good security management (configuration, monitoring, change control and configuration control) models.
This includes good performing authentication, authorization, confidentiality and non-repudiation services between different users and systems inside the network.
Yet, this becomes more challenged as every application silo creates its own authorization, authentication, confidentiality, non-repudiation (as well as management instrumentation, monitoring, provisioning and patch management environment). In the architecture world, complexity is a disease, not a feature. To develop real consistent and predictable effective security capability, architectural complexity must be reduced across silos (firewalls don’t necessarily fix that).
Also, firewall technology must be effective in the face of new technical relationships. We are seeing an increase in computational, network and storage virtualization all requiring security communication and manageable consolidation in the data center. For example, as application management switches begin physically flattening tier models through soft-piping and Virtual IP addresses and Virtual Subnets, the firewall and IPS must be capable to monitor aggregate communication links and soft-pipe communication subnets with different rules for different virtualized networks (virtualization of multiple IPS and firewall systems into one) and be properly manageable at the same time. This becomes more complicated with computational and storage virtualization. All of these models have completely different taxonomies and design pattern relationships. This will create a significant level of firewall complexity in the future. Most do not have a clue how this new brittleness will be exploited by hackers or what a firewall or IPS architecture design would look like to prevent these future threats.
Finally, one of the biggest problems with firewalls is its lack of organic knowledge lifecycle management capability. Let me explain. Most data centers live through three types of knowledge: 1) Tribal knowledge (the “yes, sure that will work” statement in the meeting room, 2) Synthetic knowledge (what Microsoft and other vendors provide to customers as best practice information so they can be successful with our technology products) and 3) Organic knowledge (best practices of what a customer learns on it’s own, based on the unique technical, architectural, cultural, process and people relationships in the organization). Organic knowledge is the most valuable and the least managed in an organization. The main trick is to capture, analyze and capitalize on this information by feeding it back to architects (software, data center and business) as well as and the developers and system administrators. This is especially true for security architecture where large corporations have a multitude of diverse technologies, architectural approaches, processes and skills. Capitalizing on the organic knowledge is one of the most challenging problems most IT organizations face. It has the potential to significantly reduce the reactive activity by promoting learned best practices based on the unique complexity of their organization. Firewalls (by themselves) don’t solve this problem. Most firewalls actually contribute to the problem by having complex log files that only a few people can manually analyze. This becomes worse when most of the organic knowledge captured is never communicated back to the architecture teams.
But don’t blame firewalls. Many enterprise firewall products do their jobs well. The problem happens when the product is deployed without a good security architecture model to capitalize on the technology effectively while providing performing consistent, predictable and manageable security services to the organization.