26 May 2021

We need to leave the firewall in the ’90s


Marc Lueck

The firewall is one of the most well-known pieces of cyber security technology. Even a layperson will have a basic understanding of a firewall, and this is in part due to its prominence in Hollywood films. Whenever a movie hacker needs to breach a mainframe, they’re often confronted with a firewall, which they’ll quickly circumvent with some furious keyboard tapping.

In this case, it seems that life imitates art, and the first mention of a firewall in the cyber security context actually appeared in a film; 1983’s War Games. It took almost a decade for this term to make it into the common lexicon of the cyber security professional. Throughout the ’80s, and into the ’90s, technologists such as Jeff Mogul, Steve Bellovin and Bill Cheswick, Marcus Ranum and Nir Zuk pushed the technology forward. By the mid-’90s, it was normal for companies to connect to the Internet, and the threat landscape was getting worse. The firewall became a hugely popular, and essential technology in enterprise.

The firewall made perfect sense at the time, as the bare-bones ’90s internet, with server numbers in just the hundreds (compared to the tens of millions today), was a simpler place, and the threats were more straightforward. There were hackers, but they were mostly solo artists, unlike the global, nation-state backed groups we face today, and the firewall was the perfect solution to filtering out bad traffic from the good. The network was safe, the internet was not, and the firewall kept those external dangers where they were.

Why IT should integrate information security with digital initiatives

The way we use the internet has fundamentally changed since the ’90s. It’s no longer just a tool used in the office to help us do our work, or a privilege for the bored office worker — it’s become a core part of everyone’s existence. The threat is no longer a hacker, but threats that are embedded in the applications and services we all use as part of our daily lives, whether it be social media, streaming services or any number of applications. Even the trusted companies that form our supplier ecosystem are now all sources of these threats.

The firewall industry hasn’t taken this lying down though, and in response new functionalities have been built into firewalls to deal with these emerging threats. Moving past packet filtering, firewalls added anti-virus, DOS prevention, VPNs and tunnels, botnet detection and more. It became an arms race, and as functionality built up so did the complexity, the latency and the expense. With all a business’ controls in one place, the firewall became the only defence for businesses, and almost the only thing that hackers had to circumvent.

Even the paragons of the firewall in its earliest days have decried its continued relevance. Cheswick and Bellovin dubbed the firewall an “economic solution to weak host security” and “a low-grade access control for low-value resources” respectively, all the way back in 2008.

The cyber security mesh: how security paradigms are shifting

Cloud and mobility land the final blow

If there’s been any shift that has sounded the death knell for the firewall, it’s been the cloud and the mobility it enables. Covid, of course, has accelerated the move to the cloud and hammered those nails further into the firewall’s coffin. Today, business is taking place outside of the network, and on the Internet itself.

The firewall has been a great servant to cyber security, but it is an outdated technology and represents an outdated architecture. This is not only because of its increasing age and feature creep, but because it is built on outdated notions of trust. Having a firewall implies that one side is somehow more trustable than the other, and with internet traffic flowing from one side to the other, this is anything but true anymore. In fact, that implied trust could cause more risk than it reduces.

The firewall wanted businesses to trust the network and IP addresses when, in today’s world, we need to adopt a zero-trust approach. Zero-trust starts with validating user identity combined with business policy enforcement based on contextual data from user, device, app and content to deliver authorised direct access to applications and resources. It’s bringing the traffic to the control, not bottlenecking the traffic by bringing the control to it.

A recent ESG study revealed that over three quarters (77%) of IT security teams believe they will move to a hybrid working model, and this will result in the need for new and advanced security requirements. Our own recent VPN Risk Report found that 72% of companies are prioritising the adoption of a zero-trust security model, while 59% have accelerated their efforts due to the focus on remote work.

In a work from anywhere world, perimeter-based controls like the firewall are rapidly becoming obsolete. The zero-trust approach uses a cloud-native architecture to disperse security controls for performance and scale, and is a far more appealing and effective way to protect enterprises. What the firewall got wrong was thinking we needed a better tool when, in reality, we need a better architecture.

No comments: