Wednesday, May 7, 2008

Are firewalls dead in the Web 2.0/Web Service world?

I've been working in "extremely large enterprises" for at least 5 years, going on forever, and I can see where the idea that "the perimeter is a myth" can be perceived. While I understand how you may think that, the thought is still wrong.

Let's take as fact that malicious activity as a whole has evolved over the past 10 years in a manner that makes "network access control" an order of magnitude less important. Since just about everyone can agree on that, I'll take my argument from that beachhead and move on, addressing specific points.

1) The perimeter is "dead"
First, let me say that I disagree that the perimeter is a thing of the past. While the perimeter has certainly become "blurry" in some cases, this generality isn't a case where it happened by necessity, rather, by accident. I've been through enough integrations where the border between "us" and "them" has all but dissolved to know that this isn't by design. It just happens sometimes when we architect carelessly, or just let things happen. I will argue that this is a bad thing, and should be addressed by a proper review from your enterprise architecture group, involving your security folks, obviously. The perimeter, while it has become fuzzy in some places needs to be maintained for the overall health of a business. Access to resources should be limited, and controlled, and without firewalls in the enterprise this becomes more disparate and difficult. The problem most architects see with firewalls is that they are effectively the bouncer at the door to the bar, and this assumes the bar has only one entrance/exit - or that all entrances/exits (egress/ingress points) have a bouncer (or firewall in this case) at those points. The problem comes in places like highly meshed networks where access into a segment happens from many places, or "network segments" are virtual rather than physical entities. While technology and today's business tends to drive us in IT to dissolve borders in the name of productivity and usability - it doesn't mean we should be giving in to those drivers in exchange for our own common sense.

2) WAFs (although mis-named) are useless
Web Application Firewalls (although I personally feel they should be called Web Application Gateways) are wonderful when implemented properly. While they definitely do NOT substitute for good coding practice (I can talk about this point all night long) it still helps you filter out those high-probability, easy-to-execute attacks classified as "low hanging fruit". There are at least 2 WAF vendors that I have personally reviewed and can talk about at length if anyone's interested, although I don't want to promote any particular vendor here. WAFs should do the following two things: 1) understand the application flow & parameters and 2) filter out "bad" things (signature/regexp based detection). A combination of the two will certainly help eliminate a good portion of the web vulnerabilities out there. Having reviewed over 500 applications in my time, I can honestly say that the 80/20 principle applies. 20% of the vulnerabilities cause 80% of the damage. Those, I strongly feel, are the things that we can as security professionals identify and remediate via automated methods and tools. The other 80% of vulnerabilities are the ones that are logic-flaw based, requiring the attacker to really understand things like process flow, business logic in order to cause issues. Unfortunately, those vulnerabilities will never be detected by any automated tool - simply because it requires the power of the human mind and the understanding of a warm body to identify those attacks. The problem with those attacks is that they typically take extensive time to identify and exploit - thus the reason why attackers opt for scanners and automated tools like SQL injectors to find and exploit the easy holes. I go back to one of my favorite cartoons in IT... there is a bear chasing 2 hikers and one of them stops to tie his shoe. The other hiker is screaming at him that the bear will catch him, and that they must outrun the bear... the hiker tying his show smiles and says "I don't have to outrun the bear, I just have to outrun you!" This is the world of business folks - the low hanging fruit is what will be exploited. If you don't understand the ideas of acceptable risk, and "good enough" - you're in trouble. So sliding back to my point... while WAFs may not be the magic silver bullet, and conceding that there are a lot of really dumb implementations out there (CheckPoint's AI, and many others) WAFs are useful and should be used in conjunction with secure code development practices and tools. Does this mean that the "firewall" is dead, no. It means that while a firewall has its place, it's clearly not at the application layer, and doesn't serve much more purpose at the higher-level points in OSI mode.

3) Web Services somehow makes everything "different"
I swear if I hear one more person tell me that "Web Services has fundamentally changed everything" I'm going to scream. This simply isn't the case. We've had web services for years, but we've simply not called it that before. How many of us have had to deal with headless applications which act as data-processing engines via HTTP? I know I have. Web services hitting the market simply tells us that we have to look at our architectures and re-evaluate some of the things we've been doing, and apply those lessons-learned from serving pages to the "Web" to yet another slightly different method of doing so. Let me admit that fundamentally, web services are slightly different than a web server, in that there are re-usable components, an ESB, and lots of things all happening in the same "security zone". This doesn't fundamentally change the game, though, in my humble view. A firewall outside at the perimeter can still keep the usual barrage of crap from consuming your valuable resources on the Web Service. That being said, if you have a web service that's open to the world - a firewall isn't really going to help THAT web service be more protected, outside of keeping the rest of the ports on that machine (real or virtual) from being accessed from the outside or hostile world. Firewalls have their uses in every aspect of our businesses, keeping segments separate and acting as the big-mesh screen that pulls out the obvious and the unwelcome at a ip/port/protocol layer. But just like with web servers, once you've figured out that some web server is vulnerable on port 80 to an attack, the firewall will let you poke at that defect all day long without the use of a more intelligent device behind the firewall.

In summary - firewalls are far from dead and useless, the perimeter is alive and well (or at least it should be) and if you're arguing otherwise I say to you - "You've given in to the pressures that the business has put on IT to "just make it happen, worry about the security later".

This is my opinion, and I'm sticking to it.

Cheers all.

No comments: