Ten or twelve years ago, a company with a firewall was likely ahead of the curve. During the early era of the internet, most companies were concerned more with getting connected than the security ramifications of it. Companies used simple NAT devices or Proxies running sometimes on vulnerable operating systems. Ironically during this era, exploitation of vulnerabilities was less widespread and even less publicized.
Today, there are high publicized security incidents on a regular basis. I think this is true for a few reasons. First, systems are designed with lots of hooks. These are used for business to business connectivity of systems, increased functionality of end systems and an overall richer end user experience. Second, software is bloated and complex. Software today is a layered approach of building on what others have done. Vulnerabilities at any layer of code, lead to issues that may not be immediately apparent. Additionally, with the prolific use of the internet, the methods and tools used for exploitation have become widely available. This decreases the skill level required to successfully compromise a system, and thus increases the size of the malicious technical community.
So how can a firewall protect information? How can a firewall be a better judge of what is legitimate and what is malicious than the end systems? How can a firewall inspect what information is leaving through an encrypted channel? The answers to all of these questions are that it cannot. At best a firewall is a general purpose security appliance that applies network policy and enforces protocol rules. It is the security gateway and control between the corporate network and the internet, but it is only a small piece of the overall “security system”.
To demonstrate this, we could use a firewall that is configured to permit email, http, and https. For the example, we will say that an attacker sent an email with attachment enticing the users to open it. The email would be masked to look as though it came from an internal user. One or two users open the enticing email attachment and an embedded macro downloads and executes code based on vulnerability in Microsoft Office. The downloaded code uses an https encrypted connection outbound to a machine that now controls it. The firewall sees and outbound SSL connection, but the machine is owned. If the code was custom written, it is very likely that it would circumvent the Antivirus on the pc as well. This communication is basically the same firewall circumvention technique that is employed by GoToMyPC, LogMeIn and WebEx. The remote control is masqueraded as web traffic. As far as the attacker is concerned, the firewall is nonexistent at this point and is bound only be the softer internal controls of the network.
In a perfect world, software would be written without error. End systems would authenticate and authorize all connections to match the restrictions required to protect the data serviced by the system. Encryption would be end to end. Users would obey company policies and refrain from using applications that were against the desires of their employers. In this perfect world, a firewall would not be necessary. However, we do not live in a perfect world. In our world, systems are very vulnerable and software is insecure. Users run eBay and other home businesses from home using GoToMyPC and LogMeIn. Additionally, accessing information that may not be malicious and even required becomes malicious when it is used in certain ways.
In the technology industry we are tasked with the daunting process of dealing with this. We must not fall into the trap of thinking that we are protected because we have a firewall. Additionally, we must make the businesses that we are responsible for aware of the risks that we cannot fully protect against. We also need to fully assess our risks and our security posture on a regular basis. It is important that we think outside the box and think about the different ways not only systems can be exploited, but think about the flow of data. Who has access to the data? How do we know that it is not leaving the organization by some other means, paper for example? Although security is often thought to be a technology issue, it is an organizational issue and must be addressed as such. Firewalls are still crucial control points for our network. However, to properly secure our organizations and their data, we must expand our scope well beyond simply implementing a firewall.