Firewalls, a history lesson


Recently, a rather high profile software company has been taken to task about its patching strategy.

One of the comments that was made by the customers of this company was basically: “We don’t have to worry, all our servers are behind a firewall”.

I’ve got to be honest and wonder why these people that their firewall somehow protects their systems?  A firewall is the outside of what is known as “M&M Security” – Hard and Crunchy outside, Soft and Chewy inside.  The basic problem with M&M security is that once a bad guy (or worm, or virus, or malware of any form) gets behind the crunchy outside, the game is over.

George Santayana once said “Those who cannot remember the past are condemned to repeat it.”.  And trusting in a firewall is an almost perfect example of this.

It turns out that there’s a real-world example of a firewall that almost perfectly mirrors today’s use of firewalls.  It’s actually quite uncanny in its accuracy.

Immediately after WW1, the French, seeing the potential for a threat from Germany, built a series of fortifications known as the “Maginot Line“.  These were state-of-the art fortifications designed to protect against most if not all the threats known at the time.

(Image stolen from wikipedia).

From all accounts, the Maginot Line was a huge success.  Everywhere the German army engaged the French on the Maginot line, the line did an excellent job of protecting France.   But it still failed.  Why?  Because instead of attacking the Maginot Line head-on, the Germans instead chose to cut through where the Maginot line was weak – the Saar gap (normally an impenetrable swamp, but which was unusually dry that year) and the Low Countries (Belgium and the Netherlands, which weren’t considered threats), thus bypassing the protection.

The parallels of the Maginot line and Firewalls are truly eerie.  For instance, take the paragraph above, and replace the words “Maginot Line” with “firewall”, “French” with “the servers”, “German Army” with “Hackers”, Saar gap with unforeseen cracks and “Low Countries” with “employee’s laptops” and see how it works:

From all accounts, the Firewall was a huge success.  Everywhere the Hackers engaged the servers on the line, the firewall did an excellent job of protecting the servers.   But it still failed.  Why?  Because instead of attacking the Firewall head-on, the hackers instead chose to cut through where the firewall was weak – they utilized previously unforeseen cracks (because the company hadn’t realized that their WEP protected network was crackable) and the employee’s laptops, where the firewall was weak (because the employee’s laptops weren’t considered threats), thus bypassing the protection.

You should never assume that some single external entity is going to protect your critical assets.  If you’ve got a huge armored front door, I can guarantee that the thieves won’t come through the armored front door.  Instead, they’re going to pick up a rock and throw it through the glass window immediately next to the door and go through it.

I’m not dinging firewalls.  They are an important part of your defensive arsenal, and can provide a critical front line of defense.  But they’re not a substitute for defense in depth.  And let’s be honest: Not everyone configures their firewall correctly.

If you assume that your firewall protects you from threats, then you’re going to be really upset when the bad guys come in through an unprotected venue and steal all your assets.

Thanks to Stephen Toulouse and Michael Howard for their feedback.

Comments (27)

  1. Anonymous says:

    For further reading I recommend Bruce Schneier’s blog at http://www.schneier.com/blog/ as well as his Cryptogram newsletter at http://www.schneier.com/crypto-gram.html

    Security is difficult to get right.

  2. Anonymous says:

    I think the TSA and Dept of Homeland Security need to hire Larry as a consultant.

  3. Anonymous says:

    “If you’ve got a huge armored front door, I can guarantee that the thieves won’t come through the armored front door. Instead, they’re going to pick up a rock and throw it through the glass window immediately next to the door and go through it.”
    Just recently here in Norway there was a court case about some criminals doing something very similar to this, and actually got away with one of the largest “robbery profit” of all robberies done in Norway.

    The brain behind the robbery plot had noticed that there was a quite simple backdoor into an office of the national bank. This door had a glass window, and it was quite easy for them to approach it. They planned that a few strokes with a sledgehammer would open it up, or as “the brain” said “It’s gonna be as easy as crushing a cookie”. But the glass windows was (is?) actually heavily armoured so they had to use a lot of force (5 minutes of shooting with automatic guns). See http://www.aftenposten.no/english/local/article1117645.ece for more about the robbery. Sorry for all the errors in my poor explanation of it!

    So the glass window next to the armored front door *might* actually be a “honey pot” ;). But of course employee’s laptops are not really used as honey pots.

  4. Anonymous says:

    I think wikipedia has disabled hotlinking, but you are still seeing the image because it’s in your cache. I got a red cross and had to go the url manually.

  5. Crud. I’ll see what I can do about making the image work all the time.

  6. Or they could just blackmail an employee for their password.

  7. FWIW, I see the image.

  8. Anonymous says:

    Ed Amoroso (Chief Security Officer for AT&T) talked about this very eloquently in a recent podcast for the IT Conversations – Frontline Security series:
    http://www.itconversations.com/shows/detail965.html

    Excerpt from the show notes:
    Amoroso recently has advocated a new approach to security. Observing that today’s firewall approach to protecting the edge isn’t working. Instead, we should implement security in the network. He predicts that within two years, managed DMZs and firewalls will disappear, because “the carrier can do that more effectively and efficiently.” Carriers can detect perturbations in the cloud and filter them.

  9. Anonymous says:

    A firewall shouldn’t be necessary. I look at it from the opposite direction. A firewall is the last line of defense (like the Wehrmacht’s counter attack doctrine based on elastic defense of WW1). The system should be secure without a firewall. I regard the firewall as the emergency last line if the normal defense have a mistake in them.

    PS The yanks, during their limited involvement in WW2, tool the Maginot line from the rear. But it still wasn’t easy for young americians to defeat 80 and 15 year old german soldiers.

    Elastic Defense

    http://72.14.207.104/search?q=cache:T0KMWa2VMeoJ:www-cgsc.army.mil/carl/resources/csi/Lupfer/lupfer.asp+Dynamics+of+doctrine+the+change+in+German+tactical+doctrine&hl=en&gl=au&ct=clnk&cd=1&lr=lang_en

    WW2 application or non application (blame hitler – the german army did)

    http://72.14.203.104/search?q=cache:JVSPMKBfOcgJ:www-cgsc.army.mil/carl/resources/csi/Wray/wray.asp+Standing+Fast+German+defensive+doctrine+on+the+Russian+front&hl=en&ct=clnk&cd=1&lr=lang_en

    Good to see your posts becomeing more interesting. Although mentioning firewalls spoilt it a bit.

    You know the Americian military is based on french methodical battle. In the last couple of decades the US Army have been busy tring to emulate the Wehrmacht of WW2.

  10. David, that’s an interesting take on this, and one that bears thought. I’m not sure I agree with you, the last line of defense is the one that that’s going to save your bacon when everything else has failed, but the firewall is more typically the at front lines – it’s going to be the primary point of contact from the bad guys.

    The problem comes when you think that the bad guys are only going after your firewall.

  11. Anonymous says:

    > George Santayana once said “Those who cannot remember
    > the past are condemned to repeat it.”.

    Yeah, but he got it backwards. Those who CAN remember the past are condemned to repeat it. Those who cannot remember it experience it for the first time. In fact, or at least according to rumour, this observation has sometimes been noted inside Microsoft as well as in the general software industry.

    Thursday, February 02, 2006 12:27 PM by Seth McCarus
    > I think the TSA and Dept of Homeland Security need to hire
    > Larry as a consultant.

    Yeah, then they’d have yet one more advisor they’d have to ignore while they go about issuing visas to dead hijackers after the hijackers did their jobs, blaming Canada for letting US immigration officials let holders of US visas enter the US from Canada, preventing US Secret Service agents from boarding planes in the US due to Secret Service agent’s racial appearance, preventing 4-year-olds from boarding planes due to equally accurate profiling methods (name instead of race), etc.

  12. Anonymous says:

    I realise the firewall is engaged first. But that’s the wrong way to look at it. Firewalls, to be useful (else one would yank the network cable out), have holes in them. This means the system must protect itself without relying on the firewall as it may be open for good reason (running a web server or sharing files).

    Only when a system can go online without a firewall should it be considered for release. Then one puts the firewall on AFTER one is sure it is not needed.

    XP SP2 does a good job.I accidently (stuffing around with loopbacks and activesynch and UNC paths) spent a month online with no firewall. Nothing happened. This is what should happen (nothing).

    It keeps the lock pick away from the lock in some circumstances. But that is can’t be relied upon as port 80 or 135 may need to be opened. Or the attacker comes in as a client as in browsing to a web site – that web site is allowed in through the wall.

    So I worry at this emphsis on firewalls and have certainly noticed that many people only configure the firewall.

    Firewalls are also code and can crash or have logic errors just like any other part of a computer.

  13. Anonymous says:

    Larry,

    Awesome analysis. My gut knows this, but the analogy was so perfect. Thanks.

  14. Anonymous says:

    “Fixed fortifications are monuments to man’s stupidity.”
    — George S. Patton.

  15. Anonymous says:

    This is offtopic, but since the upgrade none of the comments have newlines (at least when viewed in IE).

    Maybe you support HTML syntax now?

  16. Anonymous says:

    I agree with Larry’s point, but I have to take his interpretation of the Maginot Line to task.

    The Maginot Line was intended to direct future German attacks to a few key locations to allow the French to devote a larger portion of the army to repulse the invasion instead of serving as reserve or garrision troops. It succeeded.

    The French didn’t scrimp on the mobile portion of their military either. They had better tanks, anti-tank guns and aircraft than the Germans, as well as a well trained core of professional officers & non-coms.

    Once the fighting started, a few early battles were lost, but the Army was intact and morale was high. German losses were much higher and included several key commanders and many tanks.

    The French were defeated as a direct result of poor decisions and defeatist attitudes held by the aging political & military leaders — the Army was betrayed by its leadership.

  17. Anonymous says:

    An off-topic note regarding “Image stolen from wikipedia”: you don’t need to “steal” the image, it is freely licensed under cc-by-sa-2.5 (see http://commons.wikimedia.org/wiki/Image:Maginot_Line_ln-en.jpg), you should just mention the author and the license (although it would be preferred to host a copy elseware instead of hotlinking that puts strain on already overloaded Wikimedia servers 😉 …).

  18. Anonymous says:

    I bought a PC for my mother-in-law and set her up with a dial-up account. The machine was owned immediately. Multiple times I scraped out the malware, tightened things up, but still the malware got installed.

    XP SP 2 finally came out. I installed the SP (including Windows firewall), replaced IE with Firefox, and left her with a non-admin account (only I had the Administrator password). Within days, the machine was again unusable because all the spyware brought it to a standstill. Last night I wiped the drive and today I’m donating her PC, as my mother-in-law has no more interest in the computer.

    The scary thing is that the only difference between her situation and mine, is that I’ve got a hardware firewall. Until December when I got hit with a WMF exploit served in an ad banner, my machine had never been compromised. So the firewall may be just another layer of defense, but it has proven to be the most important one. More than once I’ve wondered why I have spent hundreds of dollars on antivirus subscriptions over the years when I’ve never had a virus get onto my machine.

  19. Anonymous says:

    Larry Osterman has an interesting post on blind faith in firewalls.

    Security works best when it is…

  20. Anonymous says:

    You are not always stealing because your image is under a free license, and if you are stealing, you are stealing not from wikipedia, but from the Wikimedia Commons. This page says what license the image is under.

    http://commons.wikimedia.org/wiki/Image:Maginot_Line_ln-en.jpg

  21. Anonymous says:

    Which in fact says that he may display it anywhere and make derivate work as long as the derivated work is licensed under the exact same license.

    In other words, he did nothing wrong and can remove the "stolen" line.

  22. Anonymous says:

    Urn they did crack some of the Maginot line flew glider toops on top of it and used shaped charges to blow there way in.