Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Firewalls, a history lesson

Firewalls, a history lesson

  • Comments 27

Recently, a rather high profile software company has been taken to task about its patching strategy.

One of the comments that was made by the customers of this company was basically: "We don't have to worry, all our servers are behind a firewall".

I've got to be honest and wonder why these people that their firewall somehow protects their systems?  A firewall is the outside of what is known as "M&M Security" - Hard and Crunchy outside, Soft and Chewy inside.  The basic problem with M&M security is that once a bad guy (or worm, or virus, or malware of any form) gets behind the crunchy outside, the game is over.

George Santayana once said "Those who cannot remember the past are condemned to repeat it.".  And trusting in a firewall is an almost perfect example of this.

It turns out that there's a real-world example of a firewall that almost perfectly mirrors today's use of firewalls.  It's actually quite uncanny in its accuracy.

Immediately after WW1, the French, seeing the potential for a threat from Germany, built a series of fortifications known as the "Maginot Line".  These were state-of-the art fortifications designed to protect against most if not all the threats known at the time.

(Image stolen from wikipedia).

From all accounts, the Maginot Line was a huge success.  Everywhere the German army engaged the French on the Maginot line, the line did an excellent job of protecting France.   But it still failed.  Why?  Because instead of attacking the Maginot Line head-on, the Germans instead chose to cut through where the Maginot line was weak - the Saar gap (normally an impenetrable swamp, but which was unusually dry that year) and the Low Countries (Belgium and the Netherlands, which weren't considered threats), thus bypassing the protection.

The parallels of the Maginot line and Firewalls are truly eerie.  For instance, take the paragraph above, and replace the words "Maginot Line" with "firewall", "French" with "the servers", "German Army" with "Hackers", Saar gap with unforeseen cracks and "Low Countries" with "employee's laptops" and see how it works:

From all accounts, the Firewall was a huge success.  Everywhere the Hackers engaged the servers on the line, the firewall did an excellent job of protecting the servers.   But it still failed.  Why?  Because instead of attacking the Firewall head-on, the hackers instead chose to cut through where the firewall was weak - they utilized previously unforeseen cracks (because the company hadn't realized that their WEP protected network was crackable) and the employee's laptops, where the firewall was weak (because the employee's laptops weren't considered threats), thus bypassing the protection.

You should never assume that some single external entity is going to protect your critical assets.  If you've got a huge armored front door, I can guarantee that the thieves won't come through the armored front door.  Instead, they're going to pick up a rock and throw it through the glass window immediately next to the door and go through it.

I'm not dinging firewalls.  They are an important part of your defensive arsenal, and can provide a critical front line of defense.  But they're not a substitute for defense in depth.  And let's be honest: Not everyone configures their firewall correctly.

If you assume that your firewall protects you from threats, then you're going to be really upset when the bad guys come in through an unprotected venue and steal all your assets.

Thanks to Stephen Toulouse and Michael Howard for their feedback.

  • For further reading I recommend Bruce Schneier's blog at http://www.schneier.com/blog/ as well as his Cryptogram newsletter at http://www.schneier.com/crypto-gram.html Security is difficult to get right.
  • I think the TSA and Dept of Homeland Security need to hire Larry as a consultant.
  • "If you've got a huge armored front door, I can guarantee that the thieves won't come through the armored front door. Instead, they're going to pick up a rock and throw it through the glass window immediately next to the door and go through it." Just recently here in Norway there was a court case about some criminals doing something very similar to this, and actually got away with one of the largest "robbery profit" of all robberies done in Norway. The brain behind the robbery plot had noticed that there was a quite simple backdoor into an office of the national bank. This door had a glass window, and it was quite easy for them to approach it. They planned that a few strokes with a sledgehammer would open it up, or as "the brain" said "It's gonna be as easy as crushing a cookie". But the glass windows was (is?) actually heavily armoured so they had to use a lot of force (5 minutes of shooting with automatic guns). See http://www.aftenposten.no/english/local/article1117645.ece for more about the robbery. Sorry for all the errors in my poor explanation of it! So the glass window next to the armored front door *might* actually be a "honey pot" ;). But of course employee's laptops are not really used as honey pots.
  • I think wikipedia has disabled hotlinking, but you are still seeing the image because it's in your cache. I got a red cross and had to go the url manually.
  • Crud. I'll see what I can do about making the image work all the time.
  • Or they could just blackmail an employee for their password.
  • FWIW, I see the image.
  • Ed Amoroso (Chief Security Officer for AT&T) talked about this very eloquently in a recent podcast for the IT Conversations - Frontline Security series: http://www.itconversations.com/shows/detail965.html Excerpt from the show notes: Amoroso recently has advocated a new approach to security. Observing that today's firewall approach to protecting the edge isn't working. Instead, we should implement security in the network. He predicts that within two years, managed DMZs and firewalls will disappear, because "the carrier can do that more effectively and efficiently." Carriers can detect perturbations in the cloud and filter them.
  • A firewall shouldn't be necessary. I look at it from the opposite direction. A firewall is the last line of defense (like the Wehrmacht's counter attack doctrine based on elastic defense of WW1). The system should be secure without a firewall. I regard the firewall as the emergency last line if the normal defense have a mistake in them. PS The yanks, during their limited involvement in WW2, tool the Maginot line from the rear. But it still wasn't easy for young americians to defeat 80 and 15 year old german soldiers. Elastic Defense http://72.14.207.104/search?q=cache:T0KMWa2VMeoJ:www-cgsc.army.mil/carl/resources/csi/Lupfer/lupfer.asp+Dynamics+of+doctrine+the+change+in+German+tactical+doctrine&hl=en&gl=au&ct=clnk&cd=1&lr=lang_en WW2 application or non application (blame hitler - the german army did) http://72.14.203.104/search?q=cache:JVSPMKBfOcgJ:www-cgsc.army.mil/carl/resources/csi/Wray/wray.asp+Standing+Fast+German+defensive+doctrine+on+the+Russian+front&hl=en&ct=clnk&cd=1&lr=lang_en Good to see your posts becomeing more interesting. Although mentioning firewalls spoilt it a bit. You know the Americian military is based on french methodical battle. In the last couple of decades the US Army have been busy tring to emulate the Wehrmacht of WW2.
  • David, that's an interesting take on this, and one that bears thought. I'm not sure I agree with you, the last line of defense is the one that that's going to save your bacon when everything else has failed, but the firewall is more typically the at front lines - it's going to be the primary point of contact from the bad guys.

    The problem comes when you think that the bad guys are only going after your firewall.
  • > George Santayana once said "Those who cannot remember > the past are condemned to repeat it.". Yeah, but he got it backwards. Those who CAN remember the past are condemned to repeat it. Those who cannot remember it experience it for the first time. In fact, or at least according to rumour, this observation has sometimes been noted inside Microsoft as well as in the general software industry. Thursday, February 02, 2006 12:27 PM by Seth McCarus > I think the TSA and Dept of Homeland Security need to hire > Larry as a consultant. Yeah, then they'd have yet one more advisor they'd have to ignore while they go about issuing visas to dead hijackers after the hijackers did their jobs, blaming Canada for letting US immigration officials let holders of US visas enter the US from Canada, preventing US Secret Service agents from boarding planes in the US due to Secret Service agent's racial appearance, preventing 4-year-olds from boarding planes due to equally accurate profiling methods (name instead of race), etc.
  • I realise the firewall is engaged first. But that's the wrong way to look at it. Firewalls, to be useful (else one would yank the network cable out), have holes in them. This means the system must protect itself without relying on the firewall as it may be open for good reason (running a web server or sharing files). Only when a system can go online without a firewall should it be considered for release. Then one puts the firewall on AFTER one is sure it is not needed. XP SP2 does a good job.I accidently (stuffing around with loopbacks and activesynch and UNC paths) spent a month online with no firewall. Nothing happened. This is what should happen (nothing). It keeps the lock pick away from the lock in some circumstances. But that is can't be relied upon as port 80 or 135 may need to be opened. Or the attacker comes in as a client as in browsing to a web site - that web site is allowed in through the wall. So I worry at this emphsis on firewalls and have certainly noticed that many people only configure the firewall. Firewalls are also code and can crash or have logic errors just like any other part of a computer.
  • Larry, Awesome analysis. My gut knows this, but the analogy was so perfect. Thanks.
  • "Fixed fortifications are monuments to man's stupidity." -- George S. Patton.
  • This is offtopic, but since the upgrade none of the comments have newlines (at least when viewed in IE).
    Maybe you support HTML syntax now?
Page 1 of 2 (27 items) 12