Recently, a rather high profile software company has been taken to task about its patching strategy.
One of the comments that was made by the customers of this company was basically: “We don’t have to worry, all our servers are behind a firewall”.
I’ve got to be honest and wonder why these people that their firewall somehow protects their systems? A firewall is the outside of what is known as “M&M Security” – Hard and Crunchy outside, Soft and Chewy inside. The basic problem with M&M security is that once a bad guy (or worm, or virus, or malware of any form) gets behind the crunchy outside, the game is over.
George Santayana once said “Those who cannot remember the past are condemned to repeat it.”. And trusting in a firewall is an almost perfect example of this.
It turns out that there’s a real-world example of a firewall that almost perfectly mirrors today’s use of firewalls. It’s actually quite uncanny in its accuracy.
Immediately after WW1, the French, seeing the potential for a threat from Germany, built a series of fortifications known as the “Maginot Line“. These were state-of-the art fortifications designed to protect against most if not all the threats known at the time.
(Image stolen from wikipedia).
From all accounts, the Maginot Line was a huge success. Everywhere the German army engaged the French on the Maginot line, the line did an excellent job of protecting France. But it still failed. Why? Because instead of attacking the Maginot Line head-on, the Germans instead chose to cut through where the Maginot line was weak – the Saar gap (normally an impenetrable swamp, but which was unusually dry that year) and the Low Countries (Belgium and the Netherlands, which weren’t considered threats), thus bypassing the protection.
The parallels of the Maginot line and Firewalls are truly eerie. For instance, take the paragraph above, and replace the words “Maginot Line” with “firewall”, “French” with “the servers”, “German Army” with “Hackers”, Saar gap with unforeseen cracks and “Low Countries” with “employee’s laptops” and see how it works:
From all accounts, the Firewall was a huge success. Everywhere the Hackers engaged the servers on the line, the firewall did an excellent job of protecting the servers. But it still failed. Why? Because instead of attacking the Firewall head-on, the hackers instead chose to cut through where the firewall was weak – they utilized previously unforeseen cracks (because the company hadn’t realized that their WEP protected network was crackable) and the employee’s laptops, where the firewall was weak (because the employee’s laptops weren’t considered threats), thus bypassing the protection.
You should never assume that some single external entity is going to protect your critical assets. If you’ve got a huge armored front door, I can guarantee that the thieves won’t come through the armored front door. Instead, they’re going to pick up a rock and throw it through the glass window immediately next to the door and go through it.
I’m not dinging firewalls. They are an important part of your defensive arsenal, and can provide a critical front line of defense. But they’re not a substitute for defense in depth. And let’s be honest: Not everyone configures their firewall correctly.
If you assume that your firewall protects you from threats, then you’re going to be really upset when the bad guys come in through an unprotected venue and steal all your assets.
Thanks to Stephen Toulouse and Michael Howard for their feedback.