Why We Still Need Firewalls and AV

Wednesday, May 02, 2012

Wendy Nather


It's become trendy to talk about how ineffective some commoditized security products are, classic firewalls and AV being the poster children for this. 

One of Josh Corman's favorite points is that "we never retire any security controls."  But as fond as I am of Josh, I think he's wrong in his implication that we should.

Let's take my firewall (Please).  It's still blocking what it's supposed to block; it's just that the ports that I need to leave open (such as 80 and 443) are now carrying all the traffic as a result, and those protocols are being used to tunnel attacks these days.  The firewall is doing its job; it's just that the job is no longer as sufficient as it used to be, back in the '90s. 

In the same vein, we still have umbrellas, even though they're not terribly useful in a hurricane.  Nobody would tell you to throw away your umbrellas because they're "ineffective" -- nobody, that is, except the maker of a Next-Generation Umbrella

(And while we're on the subject of umbrellas: I really hate it when firewalls are described as stopping "millions of attacks per day."  An umbrella isn't rated by how many raindrops it blocks and how wet you didn't get every day. A probe shouldn't count as an attack; it's just a raindrop to a properly configured firewall.)

Now, it's important for a consumer to understand the limits of the umbrella and not to believe that it will stop someone from getting wet in a hurricane.  It's also important for consumers to know that even if the chance of a hurricane in their area is small, there are still tornados, sideways winds and Advanced Persistent Puddles to contend with, and they should plan accordingly.  They shouldn't pay a whole lot for an umbrella that is not going to protect them in all use cases.  But it's still useful for what it does well.

The functions that classic firewalls perform are so commoditized that they're tucked into just about everything right now; I could wear them as earrings if I felt like it and someone made the right form factor.  In the future, it should be a given, and therefore not worth marketing.  But we will always need that functionality for as long as we have network traffic that doesn't automagically inspect and block itself.

Same thing goes with anti-virus.  It's necessary but not sufficient, and it ought to come in every cereal box, not as a standalone product that will completely solve any given problem.  Classic viruses are still out there, and they still need to be stopped, but advances in anti-malware, anti-phishing and other forms of automated defense still continue to pick up where classic AV leaves off. More sophisticated inspection and detection methods need to be developed, but that's a universal problem in security.

My belief is that users need education, not exhortation to throw out perfectly good controls that just aren't covering as much of the attack space as they used to.  They need to know what each security product will and won't protect, and they need to understand this in a non-technical way, just as people have learned over time that air bags plus seat belts are better than seat belts alone, without needing to know the mechanics of how they work, and without having to do threat modeling when they buy a car.

So if you don't agree with me, and you've really stopped using these products, I'd love to hear about how you're addressing those classic threats, and what controls you replaced them with.  (You don't get any points if the threats don't apply to what you're using; of course your toaster doesn't need AV.  But your smart meter just might.)

Cross-posted from Idoneous Security

Possibly Related Articles:
Information Security
Firewalls Antivirus malware Threat Modeling Attacks Network Security Security Solution vendors Automated Systems
Post Rating I Like this!
Ian Tibble I'm also aware of firewalls being scaled back by some, usually SMEs. The irony of it is, firewalls exposed fewer listening services, as you mentioned HTTP(S), so the zero day effort moved to webservers, Apache, IIS etc.

I can seem as though firewalls have lost their edge in the infosec strategy, and they "only" shift the attack effort or "raise the bar" for attackers. True they raise the bar, but if firewalls are well configured as part of a well balanced strategy, they raise it a lot higher than many imagine.

firewalls "get the blame" a la "we got hacked, all they did was call our helpdesk to get a password reset, then they were into our database". Hmmm.

Low hanging fruits such as unaware, click-happy, socially engineerable (? - there's a new word) staff, these have only come to fore because businesses started configuring firewalls better. Before that, it was easy to just break-in remotely. This is easier for hackers who can't talk to people, and they're also confident that their tracks are well-hidden.

Firewalls killed off much of the penetration testing market single-handed.

Privilege elevation exploits for root setuids for example - there aren't so many zero days for these. So they can exploit a listening service that wasn't firewalled, but then what? The HBgary incident involved a local privilege escalation but the binary wasn't patched, this was an old, known issue. Low hanging fruit.

So many attack efforts involve tunneling data back out of the network. Ok you can't block HTTP outbound, but most others can be blocked, and its easy to WAF if you know exactly what it is you're looking for. Then there's network access control of user workstation subnets. Ok, the laptops and PCs get malware, but once owned, what will the attackers "see" when they port scan from there? If firewalls are well configured they won't see anything, perhaps a mail server, internal intranet boxes...considerable time and effort is piled on the attack effort by firewalls.

Well configured firewalls really do add some considerable time on an attack effort, but only if other basic measures are taken in line with risks.

Beau Woods I like the post, Wendy, and I agree with your general premise, but I think the article doesn't get to the real heart of the issue. I got so worked up about it I wrote a full-length post over on my blog. ;) http://beauwoods.blogspot.com/2012/05/firewalls-and-anti-virus-arent-dead.html

Basically it comes down to this.
1. When firewalls and anti-virus were all we had and effectively countered the threats we faced, they tended to be used more as they were designed.
2. Now, firewalls and anti-virus don't counter the majority of the threats and aren't used as originally designed or even very well at all.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.