Has the Day of the Death of the DMZ Finally Arrived?
I remember going to TechEd several years ago and listening to Steve Riley (who worked for Microsoft at the time) talk about the "death of the DMZ". His "death of the DMZ" talks were always highly attended and they always stirred up a lot of controversy and got the audience talking about whether there was still a need for a firewall. During that time, there was a lot of pushback and opponents had many strong arguments for why you actually need multiple firewalls in your organization. The idea back then was that the most efficient and most effective way to control access to information stored on your network was to place multiple "bumps" on the wire between that information and people who wanted to get to it.
That was sometime around 2004. The world has changed quite a bit since then, and the tech world changes faster than the rest. Back in those days, the arguments weren't just about how many firewalls and DMZs you needed, but also about which types of firewalls you should use. Should you use high-throughput stateful packet inspection only firewalls? Did you need application layer inspection? Was the goal to control both inbound and outbound access? Were logging and reporting at the network level required? Which vendor had the most secure firewall? Should you use the same vendor for all your firewalls or should you spread the love around?
The Cloud changes everything
Now we're well into 2011 and those discussions are giving way to something that was barely envisioned back then: considerations about cloud security. It's been predicted by many in the industry that 2011 is going to be the Year Of The Cloud. With firms moving an increasing amount of information and many of their applications to the cloud, the level of security offered by the cloud provider it a hot button topic. Companies want answers to a lot of questions before they entrust their data to someone outside the corporate walls:
- Where is the data stored?
- Is it encrypted on disk?
- What is the nature of data persistence?
- What access controls are placed on the data?
- What security tests are done the cloud applications?
- How often are cloud applications updated?
- What forensics methods are used and is there a solid incident response plan in place?
It's hard to find the answers to those questions from almost all of the cloud providers. Microsoft, Amazon, Google and IBM are not exactly transparent about the details of the cloud security measures. And that makes sense - the less the bad guys are able to find out about their security strategies, the harder it will for them to penetrate those controls. However, if you dig, you can find some information about their security measures. And as you do, you notice an interesting fact about cloud security discussions: the absence of questions regarding which firewalls are used, or whether firewalls are used at all at the cloud datacenters.
You can't help but wonder why this is the case, after over a decade of heated discussions about firewalls and the multiple critical roles that firewalls play on networks. Maybe it's because, with the rise of the "anywhere access" philosophy, where organizations want to enable employees access to the data they need from any device and from any location at any time, IT security professionals have realized that their firewalls are actually doing very little, other than reducing the overall amount of traffic on the intranet by preventing authorized traffic from reaching the Internet.
The cloud and the nature of distributed data that can be located in multiple locations and on a variety of devices makes it clear that the security "road to success" for the foreseeable future is probably not going to be from a firewall based strategy. The highly mobile nature of data in the second decade of the 20th century means that a firewall based approach to data protection is a losing proposition. The data needs to be secured where it's located.
Do DMZs really do any good?
When you think about how DMZs are deployed in most environments, you have to admit that they do little more than make the network security infrastructure more complex and enable firewall admins to keep their jobs. DMZs are used to separate Internet facing devices from the corporate intranet under the presumption that there is some sort of security advantage to this methodology. The problem is that the front end firewall enables access to the services that are purportedly "unsecure" and the back end firewall allows this same traffic onto the intranet. What's the actual security advantage conferred by the configuration? You can argue that "trash traffic" is offloaded from the Internet facing device, but do these firewalls actually "secure" anything? The sad conclusion is that in most cases they do not, and all the firewall infrastructure ends up doing is making the overall management of network security more complex and increasing the overall cost of doing business.
In addition, a network based firewall approach to data security ignores a key fact: Most significant security breaches are due to insider attacks. The recent Wikileaks security disaster was due to an insider attack - and studies have shown that many of the most significant and most expensive network compromise events were due to insider attacks. You can read about the top ten breaches by infamous insiders here
RSA reported in 2009 that insiders are a greater threat than hackers.
And the 2010 Verizon data breach report showed that insider breaches are on the rise.
The DMZ and network firewall at the edge of the network does nothing to prevent these high-impact attacks that put companies at the most risk.
What about outbound access control? Do network firewalls have any place there? Outbound access control is an area where network firewalls can make a difference, in the following ways:
- They can prevent near zero-day attacks
- They can reduce the "attacker surface" on the Internet by performing URL filtering and web anti-malware inspection
- They can do outbound SSL inspection so that malware can't hide in SSL tunnels to send corporate information to a controller on the Internet.
But again, the challenge for firewalls when it comes to outbound access control is that not all devices that access corporate data are always subject to corporate network access policy. Sure, when the employees' laptops are on the intranet, everything is good and their Internet access is locked down and secure. But what happens when an employee goes on a trip with his laptop and connects to networks where corporate network access control no longer applies? The employee then returns to the intranet and shares all the exploits that his laptop gathered when accessing the Internet during the time that the employee was off-network. In this scenario (which is the norm for most companies), the corporate outbound access control firewall only postponed the inevitable.
What's the solution?
Because of the cloud, the increasing number of devices that can access the data, and the increasing number of locations where that data might be located, a new focus away from network firewalls and toward securing the data itself is required. More sophisticated approaches to access control lists and authorization, as well as reporting on data access,are also required. In addition, there need to be mechanisms put into place that secure the files themselves so that only authorized individuals can access them, regardless of file location.
ACLs need to be more flexible and more comprehensive than the user/group based methods we use today. You need a way to assess the user in a more realistic context, which includes criteria such as:
- Is the user an employee or a contractor?
- If an employee, is the user a part time or full time employee?
- Is the user a member of a particular project team?
- Is the user assigned a certain security classification?
- Is the user on suspension or on leave?
These and other user characteristics are much more valuable than which "group" that user belongs to, and you should be able to set access policies on their more real-world characteristics.
All of the above is a good first step, but initial access and authorization is only the beginning. After the data is removed from its source repository, it needs to have security follow it regardless of where it goes. This is where Rights Management Services (RMS) become important. In fact, if RightsManagement had been applied to the Wikileaks documents, there's a good chance that imbroglio would never have transpired.
Will firewalls fade away?
At this point, you must be wondering: what about firewalls? Should we just throw them out the window? Is all that time you've spent learning to work with TMG or some other firewall wasted? Well, firewalls won't go away, but like the other security methods that will bring you success, the security needs to be moved closer to where the information resides. The power of modern computer processors now makes it possible to put a sophisticated firewall on every client system. In fact, this is what the Windows Firewall with Advanced Security does on each Windows 7 and Windows Server 2008 and above computer. Leveraging the Windows Filtering Platform (WFP), these host-based firewalls are able to perform advanced firewalling duties and enable end to end encryption between client and host. In fact, enabling IPsec on all of your intranet goes a long way toward removing the requirement for network firewalls. And as IPv6 begins to loom large on the horizon, it's a good bet that we'll see increasingly diminishing returns on network firewall investment.
What do you think? Is this the end of the network firewall? Should firewall admins start polishing up their resumes and get busy retraining on more important technologies such as Identity and Access Control management? Or will the network firewall remain forever, as an artifact of the past, and be placed on the network as an historical hangover, not unlike the RPC based protocols that we continue to deal with today?
Send me a note at [email protected] and I'll post some of the best responses on the blog. Thanks! -Deb.