There have always been controversies about firewalls. Many access providers are reluctant to use firewalls, believing that firewalls will affect the opening speed of websites, etc. However, this problem only exists in traditional firewalls. Traditional firewalls mainly resist attacks from all aspects. A firewall can provide client defence and network protection, which is not only useful but also a necessity.
Attacks that traditional firewalls are good at resisting
Traditional firewalls can only block or allow specific IP addresses and ports, and the things that can be protected are quite limited. The most common application scenario is to prevent unauthorized users or malware from connecting to unprotected monitoring services or daemons. Even ignoring the router’s ultra-high efficiency in IP/port filtering, the times and types of attacks have also changed, and traditional firewalls are now useless.
Twenty years ago, it made sense to prevent unauthorized connections. Most computers are poorly protected and have weak passwords. They are not only full of vulnerabilities but also often open services that allow anyone to log in or connect. Sending a malformed network packet can kill ordinary servers, and this is only needed when the administrator has not set up a remote service with full administrator rights that allows anonymous connections. If this kind of remote management service is set up, it basically works. As for the anonymous NETBIOS connection of Windows, it has been a valuable asset for hackers for 15 years before Windows XP banned it by default.
If your firewall is only used to block unauthorized IP addresses or protocols, a router will be much better and faster. There is a motto in the computer security industry: “Prefer the fastest and easiest method.” This is the truth. If there is something that can be blocked with a faster and more efficient device, then use that device as Your first line of defence. This will eliminate more traffic you don’t want faster and more efficiently. The “upper layer” code of the router is much less than that of the firewall, and the rule list is also shorter. The conditional decision cycle of routers is orders of magnitude faster than firewalls. However, in today’s threat environment, it is difficult to say whether these unauthorized connections need to be blocked.
Firewalls are best at preventing unauthorized remote connections to monitor services, which can prevent attackers from using a buffer overflow to take over control of the computer after connecting. This is the major reason the firewall was born. Defective services are too common and have been considered the norm. Malicious programs such as Shockwave and Slammer worm use these services to sweep the world in a matter of minutes.
The current service is not that fragile. The programming languages programmers use today to check for buffer overflows by default. Other operating system computer security measures used to prevent traditional exploit methods are also very good at doing this. Microsoft finds 130–150 vulnerabilities in its product lines every year. Since 2003, about 2000 vulnerabilities have been discovered. But only 5–10 are for remote use only. During the same period, Apple and Linux machines had more vulnerabilities, but the proportion of vulnerabilities that could only be exploited remotely was the same.
It must be clear: Although there are hundreds of vulnerable services available, almost all of them require local end-users to launch an attack. Either click on a malicious link or visit a website that is linked to a horse. Why must local users take part? Because only when the end-user does this, can an “allowed” outbound connection be created, and then it is logical to have another “allowed” inbound connection back to the user’s computer. Almost all attacks today are “client-side” attacks, and firewalls are not good at blocking such connections.
Port blocking is no longer valid
Each service uses its own fixed TCP/IP port period, such as 21/22 for FTP and 25 for SMTP. In this way, traditional firewalls are more useful.
Today, most of the world’s network traffic goes through 80 (HTTP) and 443 (HTTPS) ports, and more and more cases will only use the latter. The network traffic that has not yet taken port 443 will also be cut to 443 in the next few years. If everything is bound to a few ports, what is the point of port blocking? More than that, the default encryption feature of HTTPS will also make traffic filtering more difficult to perform.
The border is disappearing
The firewall is a typical security domain boundary. By defining two or three security boundaries, the firewall can control the traffic between them. However, these effective and insurable boundaries have been declining in the past 10 years. The border has never been perfect, but since we started connecting the Internet to other networks and connecting Wi-Fi routers to various networks, the border has truly disappeared.
When there are only one or two network boundaries, the firewall can still be useful, but when we add “DMZ” and other “authorized networks”, the firewall is not enough. When long-term networking becomes the norm, the end of borders and traditional firewalls have come.
For a long time, many IT security personnel believe that we still have security boundaries, but as long as an audit, they will find that these boundaries are leaking like a sieve. For fear of disrupting certain critical services or applications, network administrators will basically release every undefined traffic path.
Bad firewall management
In addition to a false sense of perimeter security, most firewalls are also poorly managed. Almost all home users don’t know what a firewall is and what it’s useful for. Even if the firewall is turned on by default on their computers, they never pay attention to or configure it. The situation on the enterprise side is not necessarily much better, although corporate security personnel sometimes deceive themselves and think they are doing well.
It’s really rare for enterprise firewalls to be configured correctly. More than half of them deploy crazy “arbitrary ()” rules, completely losing the meaning of setting up a firewall. The traffic paths and protocols allowed by most firewalls are much wider than those required by the business. Even if the firewall is configured correctly at first, in just one year, most companies will have to spend money on the firewall configuration quagmire they have created to purchase software that can better manage the firewall configuration. Unauthorized configuration changes leave companies with no time to consider how to use firewalls to protect their own security.
Bad logs are also one of the pain points of traditional firewalls. Most firewall logs contain millions of event records. Although the records are detailed, they are useless for real security protection. The “noise” of the firewall is too great, and potentially useful events that administrators should know are overwhelmed.
Also, the restoration of corporate firewalls is not optimistic. Keep up to date, and there are very few firewalls that have been completely repaired. Many devices firewalls have publicly known vulnerabilities. These firewalls are no longer a security line of defence but have become a potential attack interface.
What about smart firewalls?
Today’s firewalls not only filter ports and sockets but also have VPN or HTTPS inspection functions, and can even perform operations such as intrusion detection/defence, URL filtering, upper layer attack, blocking, DDoS attack prevention, and inline repair. Firewalls have developed far beyond simple port and protocol blocking.
Traditional firewall operations such as IP address and port filtering have no value, but most firewalls today do much more than that. The firewall has developed from a strict borderline of defence to a protective layer with an internal fragile core. If you examine the various services provided by today’s firewalls, you find that there are almost as many for client protection as for network protection. This is a good thing, it is very popular, and it has many benefits.
If you are considering buying a new firewall, you may wish to pay attention to those that provide control functions that can eliminate the greatest risks (such as URL filtering, patch discovery, inline repair). After all, modern firewalls should not be the same as those used by parents.