I was all set to write a post today commenting on Ellen Messmer’s article about Forrester’s picks for winner and losers in security. But that post will have to wait. Instead I am compelled to chime in on the firestorm that Rodger Grimes has ignited with his “firewalls are dead” article of a few days ago.
I didn’t comment on Rodger’s original article because after hearing my friend Richard Stiennon declare so many security technologies dead over the years, one more pundit calling something dead is just not something to get excited over. Lets face it, you know what they say about pundits (or was it analysts), we all have one
But that didn’t stop others from calling Rodger out. My friends at Securois, Mike Rothman in particular had something to say, a few other security bloggers mentioned it, heck even Richard Stiennon on his way down under tweeted on it. But I thought the best response was by my friend and colleague Jody Brazil of Firemon. Now for those of you who don’t know, I work with Firemon so I may be partial to Jody’s view. Truth be told I may have even seen a rough draft of the post and put my 2 cents in before it was published. To me that was a case of enough said.
But now Rodger has come back with another salvo defending his position. After reading it, I can’t help myself. I have to jump in. Besides the fact that I think Rodger is flat out wrong, I feel it necessary to point out some weakness in his arguments:
1. Flat out dismissing firewall mismanagement – Yes it is easy with the stroke of a pen to just discount this very important part of Jody’s original post. But the fact remains that firewall mismanagement is still one of the biggest factors if not the biggest in attacks being successful that a better managed firewall could have and should have stopped. So before dismissing, at least give it its due.
2. The Verizon Report is all about big companies – Yes it is only is based on 855 breaches, but the fact is that almost 2/3’s of those 855 breaches happened at companies with under 100 employees! That hardly qualifies as large enterprise accounts. If you go up to companies under 1000 employees (classic SMB) the number is even higher. So you can’t dismiss the Verizon findings by saying that this only applies to large companies, it is just not the fact.
3. The browser did it, blame the browser – This one reminded me of if we set the firewall to block all traffic, we would not have security incidents. Yes the browser is a nexus for attack, but it is a nexus because it is a fundamental factor in the equation. You can’t take the browser out of the mix and still have an Internet as we know it. So saying it is the browser’s fault and the firewall doesn’t help the browser is just not sound logic. The browser goes with the Internet and it introduces it own set of challenges. Blaming the firewall for not fixing the browser just doesn’t make sense.
4. The human hacking came later – Wrong again. It is the human hacking which comes first. It is the spear phishing or otherwise targeted attack which is genesis of most security incidents. Grimes points to the large AV vendors as proof of his position. Well lets look at the recent Symantec Internet Security report. They clearly show that targeted attacks against humans (by email, twitter or other social media) is a primary vector for many security incidents. At the end of the day, the weakest link is still the person behind the keyboard. Heck after getting rid of the firewall, lets get rid of the people, then we would really be safe. Of course who would use all of those browsers?
5. Firewalls are a victim of its own success – Again the logic here is flawed. Are firewalls the new polio or smallpox vaccine? Have we eliminated the scourge of attacks that firewalls have stopped, so now we can retire them? Of course not. Firewalls (especially well managed ones) are out there stopping garden variety attacks day in and day out. Yes NGFW are an evolution up from what firewalls used to be, but the threats and attacks that firewalls have been stopping for years have not gone away, people like Rodger just take them for granted because firewalls are on call doing their job 24/7/365.
So it is not yet time to give the firewall its gold watch and send it to a condo in Florida. There is still plenty of life and good security left in those boxes and the future for them is brighter then ever.
I would love to discuss this further and invite Rodger, Jody and if anyone else would like to join in to a podcast. Let me know if you are interested!