Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Firewalls, a history lesson

Firewalls, a history lesson

  • Comments 27

Recently, a rather high profile software company has been taken to task about its patching strategy.

One of the comments that was made by the customers of this company was basically: "We don't have to worry, all our servers are behind a firewall".

I've got to be honest and wonder why these people that their firewall somehow protects their systems?  A firewall is the outside of what is known as "M&M Security" - Hard and Crunchy outside, Soft and Chewy inside.  The basic problem with M&M security is that once a bad guy (or worm, or virus, or malware of any form) gets behind the crunchy outside, the game is over.

George Santayana once said "Those who cannot remember the past are condemned to repeat it.".  And trusting in a firewall is an almost perfect example of this.

It turns out that there's a real-world example of a firewall that almost perfectly mirrors today's use of firewalls.  It's actually quite uncanny in its accuracy.

Immediately after WW1, the French, seeing the potential for a threat from Germany, built a series of fortifications known as the "Maginot Line".  These were state-of-the art fortifications designed to protect against most if not all the threats known at the time.

(Image stolen from wikipedia).

From all accounts, the Maginot Line was a huge success.  Everywhere the German army engaged the French on the Maginot line, the line did an excellent job of protecting France.   But it still failed.  Why?  Because instead of attacking the Maginot Line head-on, the Germans instead chose to cut through where the Maginot line was weak - the Saar gap (normally an impenetrable swamp, but which was unusually dry that year) and the Low Countries (Belgium and the Netherlands, which weren't considered threats), thus bypassing the protection.

The parallels of the Maginot line and Firewalls are truly eerie.  For instance, take the paragraph above, and replace the words "Maginot Line" with "firewall", "French" with "the servers", "German Army" with "Hackers", Saar gap with unforeseen cracks and "Low Countries" with "employee's laptops" and see how it works:

From all accounts, the Firewall was a huge success.  Everywhere the Hackers engaged the servers on the line, the firewall did an excellent job of protecting the servers.   But it still failed.  Why?  Because instead of attacking the Firewall head-on, the hackers instead chose to cut through where the firewall was weak - they utilized previously unforeseen cracks (because the company hadn't realized that their WEP protected network was crackable) and the employee's laptops, where the firewall was weak (because the employee's laptops weren't considered threats), thus bypassing the protection.

You should never assume that some single external entity is going to protect your critical assets.  If you've got a huge armored front door, I can guarantee that the thieves won't come through the armored front door.  Instead, they're going to pick up a rock and throw it through the glass window immediately next to the door and go through it.

I'm not dinging firewalls.  They are an important part of your defensive arsenal, and can provide a critical front line of defense.  But they're not a substitute for defense in depth.  And let's be honest: Not everyone configures their firewall correctly.

If you assume that your firewall protects you from threats, then you're going to be really upset when the bad guys come in through an unprotected venue and steal all your assets.

Thanks to Stephen Toulouse and Michael Howard for their feedback.

  • I agree with Larry's point, but I have to take his interpretation of the Maginot Line to task. The Maginot Line was intended to direct future German attacks to a few key locations to allow the French to devote a larger portion of the army to repulse the invasion instead of serving as reserve or garrision troops. It succeeded. The French didn't scrimp on the mobile portion of their military either. They had better tanks, anti-tank guns and aircraft than the Germans, as well as a well trained core of professional officers & non-coms. Once the fighting started, a few early battles were lost, but the Army was intact and morale was high. German losses were much higher and included several key commanders and many tanks. The French were defeated as a direct result of poor decisions and defeatist attitudes held by the aging political & military leaders -- the Army was betrayed by its leadership.
  • An off-topic note regarding "Image stolen from wikipedia": you don't need to "steal" the image, it is freely licensed under cc-by-sa-2.5 (see, you should just mention the author and the license (although it would be preferred to host a copy elseware instead of hotlinking that puts strain on already overloaded Wikimedia servers ;-) ...).
  • I bought a PC for my mother-in-law and set her up with a dial-up account. The machine was owned immediately. Multiple times I scraped out the malware, tightened things up, but still the malware got installed. XP SP 2 finally came out. I installed the SP (including Windows firewall), replaced IE with Firefox, and left her with a non-admin account (only I had the Administrator password). Within days, the machine was again unusable because all the spyware brought it to a standstill. Last night I wiped the drive and today I'm donating her PC, as my mother-in-law has no more interest in the computer. The scary thing is that the only difference between her situation and mine, is that I've got a hardware firewall. Until December when I got hit with a WMF exploit served in an ad banner, my machine had never been compromised. So the firewall may be just another layer of defense, but it has proven to be the most important one. More than once I've wondered why I have spent hundreds of dollars on antivirus subscriptions over the years when I've never had a virus get onto my machine.
  • Larry Osterman has an interesting post on blind faith in firewalls.

    Security works best when it is...
  • PingBack from
  • You are not always stealing because your image is under a free license, and if you are stealing, you are stealing not from wikipedia, but from the Wikimedia Commons. This page says what license the image is under.
  • Which in fact says that he may display it anywhere and make derivate work as long as the derivated work is licensed under the exact same license.

    In other words, he did nothing wrong and can remove the "stolen" line.

  • Urn they did crack some of the Maginot line flew glider toops on top of it and used shaped charges to blow there way in.

  • PingBack from

  • PingBack from

  • PingBack from

  • PingBack from

Page 2 of 2 (27 items) 12