Why is it Time to Rethink the Firewall?
In January of 1995, Network Translation’s PIX firewall received the “hot product of the year” award from Data Communications Magazine. While the PIX was originally designed to perform Network Address Translation (NAT), doing for the IP host market what the PBX market did for the telephone, the PIX itself quickly morphed into the original appliance-based firewall. In those heady days in the Cisco Technical Assistance Center (TAC), we spent hours thinking through how best to build a Demilitarized Zone (DMZ) using PIX’s and routers so the network simply could not be penetrated. We built walls around our networks to defend them against the hoards of horseback riding invaders.
The firewall, as an appliance, does several specific things:
- Abstracts information in a way that makes it difficult to discover the shape and form of the network behind the firewall
- Provides stateful filtering, and potentially deep packet inspection, to detect and block invalid or out of policy requests
- Provides a “fail open” edge, causing network access to be blocked in the case of a software or hardware (generally a side effect of NAT)
Beyond the firewall, several other services have been added to the security portfolio in recent years, including:
- The Cloud Access Security Broker (CASB), which is focused on protecting data stored in a cloud service
- Data exfiltration systems, which are focused on detecting unusual flows of data and stopping them
- Intrusion Detection Systems (IDS), which are focused on detecting intrusions and alerting humans or stopping them
If we take the firewall as a base, and stack a CASB, an exfiltration system, and an IDS on top of it, perhaps adding on a secure over the top tunneling mechanism to allow remote access, we could have an “all-in-one bundle, it slices and dices, it even chops onions without making you cry” security solution for every network in the world, right?
Or maybe not. The problem with modern network security does not come down to providing a more secure edge, but rather that there is no longer a network edge at all.
Unknown to many of the network engineers working on these various firewall and DMZ projects at the time, the undoing of the firewall had already been written and unleashed on the world. In 1988 the Morris Worm was released into the Internet, disrupting computers, and communication to various sites. A second blow to the firewall was unleashed in the form of the first recorded demonstration of a Distributed Denial of Service (DDoS) attack in 1997, just a couple of years after the commercialization of the PIX. Finally, the advent of cloud computing, and now the dispersal of the cloud into the fog, have changed the concept of security in information technology in radical ways. Even the memory on the processor is no longer really a sacrosanct haven of security—lessons courtesy of Meltdown, Spectre, and Rowhammer.
Ultimately, there is no inside, and there is no outside. There are only data, systems, and access to data and systems. Which leads to a somewhat simple, and yet very complex, question: How can network engineers secure distributed data and systems?
The answer to the question is buried in the question itself: distribution. To really solve the problems of data and system protection today, we need to think outside the firewall. Instead of thinking about an appliance, we need to start thinking in terms of security services, and how to apply the correct set of services to protect a particular asset. The firewall needs to be blown up, in other words. All the appliances, and their special functions and features, need to be disaggregated into services, allowing those services to be run anywhere, and merge together to form a secure system across the network, rather than in front of the network.
This new world of security is going to require a lot more application and business knowledge. The question can no longer be “where should I put the firewall,” but rather “which kinds of services are needed to protect this kind of asset, where should they be placed in the network, and how should traffic be pulled through them?”
But if we want to actually protect our data and infrastructure in any meaningful way, it is time to rid ourselves of the notion of a firewall as a neatly tied together appliance, and start thinking about the services underlying the firewall, and how the interact with problems and solutions in the real world. To learn more about ECI’s disaggregated, cyber security solution tailored for critical infrastructures download our brochure here.