Skip to main content

Why don't firewalls work?

security
(Image credit: Image Credit: Wright Studio / Shutterstock)

According to Gartner, organizations globally are spending some $14.7 Billion USD annually on firewall technologies, making them the biggest recurring expense in enterprise cybersecurity budgets.

But with breaches of high profile organizations hitting the headlines almost daily, it’s quite clear that firewalls, once the backbone of cybersecurity, are failing to block today’s hackers.

A recent study of enterprise cyber security leaders shows waning confidence in firewalls. In “Rethinking Firewalls: Security & Agility for the Modern Enterprise, Ponemon 2020”, only 36 percent of respondents found firewalls to be effective at preventing ransomware. Only 39 percent found firewalls to be an effective way to protect their perimeters and clouds with the respondents also reporting only a 33 percent confidence rate in firewalls for protecting their data centers.

From the attacker's perspective we build a picture

By putting ourselves into the shoes of cyber attackers who have confronted firewalls over the last three decades we can get a great understanding why firewalls are failing. As time goes on, these attackers have honed practices into reliable strategies that defeat these enterprise defenses.

...Easily blinded, easily traversed

Firstly, firewalls are easily blinded. Hackers have learned to encrypt attacks such that firewalls fail to identify them. Deep packet inspection becomes impossible and such attacks pass through firewalls unimpeded. All skilled attackers know this and today, around 70 percent of all attacks use encryption. While detection is possible with many firewalls offering limited SSL proxy support all too often administrators find it to be too processor intensive causing network bottlenecks making applications unresponsive and sluggish. While offloading the responsibility to other appliances like web proxies and email security MTAs assists in detecting and stopping some of the attacks there are many that still get through unimpeded. Furthermore, firewall issues with encrypted traffic get worse when you understand that over 80 percent of web traffic is encrypted and that 48 percent of enterprise applications run over encryption. Firewalls simply cannot protect the enterprise from nefarious traffic when it is not obviously different in nature from what’s legitimate.

To make matters worse, firewalls become as easily traversed when attackers incorporate various port forwarding, fragmented packet attacks. At the application layer there have been many great HTTP and DNS protocol spoofing attacks that have today become incorporated into the standard toolkit of the modern hacker.

...Easily exploited, often misconfigured

Firewalls are an administrative hassle, and far too often we find that the burden of managing them leads to two things. Firstly, we find that just as enterprises often forget to update and patch their endpoints, the same is true for firewalls and too often attackers can easily exploit known vulnerabilities in firewalls to get through them. Secondly, and over time, firewalls typically end up suffering from sprawling rule-sets and mis-configurations which also lead to exploitation.

...Easily avoided

Beyond blinding, traversing and exploiting firewalls, hackers have learned they can in fact simply avoid firewalls all together. The most common examples of this involve utilizing web and messaging protocols to attack and exploit users directly to gain access then use user side shell, command prompts and libraries and overly permissive user permissions to escalate the attack. We find attackers targeting public facing enterprise applications directly looking for low hanging fruit weaknesses; things like lack of multi-factor authentication, weak passwords, exploitable certificate infrastructure and network services.

...Not where they need to be

Finally, regardless of the many ways attackers have come up with to get around firewalls, the biggest takeaway from examining how attackers work is this: once the attacker is within an enterprise, firewalls cease to be any impediment at all. Attackers rarely land inside where they want to be. Thus being able to move laterally within the environment performing reconnaissance on potential targets and elevating privileges within an environment becomes the next step. In the modern enterprise this lateral movement is too often an easy process, traversing enterprise clouds, data centers, along application workflows. As perimeter devices, firewalls do nothing to protect the inside of the enterprise. The whole industry interest in ‘Zero Trust,’ a security approach proposed by Forrester, is a response to legacy cybersecurity solution failures like firewalls and aims to prevent the enterprise from having a “soft chewy center.” To implement the Zero Trust concept of micro-perimeters, Firewalls would have to be placed between workflows - something these devices were never designed to do.

As enterprise defenders, it's time for a change in strategy

To better protect our enterprises, we must accept that firewalls have become almost redundant, but for some very basic perimeter functions. We must re-evaluate the security approach and dramatically reduce expenditure on firewalls in favor of assigning that spend on more effective approaches.

For example, have you considered Software-Based Segmentation? Providing more comprehensive security and harder for attackers to traverse, exploit and workaround, Software-Based Segmentation utilizes workflow visibility and host based firewalling. This enables you to create Zero-Trust micro-perimeters that follow the entire workflow. It is also surprisingly easier and faster to deploy and is considerably less expensive than legacy firewalls.

Software-Based Segmentation starts with excellent real-time and historical visibility into enterprise workflows. This ensures that you can accurately map out all workflows and create accurate policy creation. It is also agent based and platform/operating system agnostic. This means it can be utilized across the entire enterprise environment from premises to clouds through to containers. This drastically simplifies deployment and management and ensures flexibility and portability if an enterprise wishes to change, migrate or add additional platforms. Its policies (as recommended by Zero Trust and other frameworks), are granular, allowing enterprises to present the least attack surface possible, as well as to lock down to process, user identity and FQDN. Being on and following the workload you aren’t blinded by encryption and you can easily protect from unspecified lateral movement. Compared to traditional ways of segmentation another major benefit of Software-Based Segmentation is there are no IP addresses, VLAN, Security Group or other network changes required. This means the segmentation can happen quickly often being implemented in days instead of months or years with zero downtime.

Attackers have perfected getting around firewalls. It is time for enterprises to shift defenses to cover the entire enterprise comprehensively using Software-Based Segmentation, something that is surprisingly easier, faster and less expensive while being more effective.

Dave Klein, senior director of cybersecurity, Guardicore