Death to Firewalls; Long Live Firewalls

Firewalls have been slowly changing over the years as their network architectures have been evolving. Firewalls are becoming more decentralized and becoming increasingly virtualized. As firewalls move from solely located at the perimeter inward toward the servers, many other changes are taking place. The pendulum of centralized versus distributed systems continues to swing back and forth as the industry finds the optimal equilibrium for security architectures.

One of the first books I read on the subject of firewalls was "Building Internet Firewalls" by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman. This book covered the topics of least privilege, defense in depth, choke point, weakest link, fail-safe stance, universal participation and diversity of defense. The concept of the choke point helped organizations focus their attention on defining a security perimeter and placing the firewalls at that single point of entry. At the time most organizations had a single perimeter and many organizations could only afford a single firewall at their Internet connection.

It is clear that firewalls have changed over the years. Many firewalls lack policy granularity and many organization's firewalls end up having lots of NAT and policy rules. Some say that firewalls do not impede the bad traffic, they just impede the good traffic. Most attacks take place at the application layer over TCP port 80 anyway. Stateful firewalls are only seeing one aspect of the security picture by looking at the packet header. We need firewalls to perform more content filtering and deep packet inspection. Unified Threat Mitigation (UTM) firewalls evolved as we expected more functionality at the single choke point. We now rely more on DPI/IPS, behavioral analysis, anomaly detection, Data Loss Prevention (DLP) and Web Application Firewalls (WAFs) to protect our critical systems. A firewall can define a network perimeter but they can't protect against the insider/malware threat. Since 1997 I thought the end of the firewall era was right around the corner. In recent years we have seen the "erosion of the security perimeter" and our firewalls have turned into Swiss cheese. Because of all these trends, the firewall as a concept has slowly died or had its role in the security architecture diminished.