Tear Down the Firewall

lousyd writes "'What's the best firewall for servers?' asked one Slashdot poster. 'Give up the firewall' answers Security Pipeline columnist Stuart Berman. Through creatively separating server functions into different, isolated servers, and assigning them to a three tiered system of security levels, his company has almost completely eliminated the need for (and headache of) network firewalls. "Taking that crutch away has forced us to rethink our security model," Berman says. The cost of the added servers is greatly minimized by making them virtual servers on the same machine, using Xen. With the new security-enhanced XenSE, this might become easier and more possible. What has you chained to your firewall?"

Nice logic, but

[gcnaddict]

obviously, if you can rethink your security model AND keep up a well-maintained firewall, you will likely be better off :) How hard can it be to do BOTH, not one or the other?

Re:Nice logic, but

[m50d]

If you have a good security model, the only processes listening will be the ones that need to be accessible. At that point, what good would a firewall do?

Re:Nice logic, but

[ScrewMaster]

Yeah ... this does seem like a solution looking for a problem, doesn't it? Kind of like deciding that, well, if I just start eating right and exercising regularly, I won't need my health insurance anymore.

Re:Nice logic, but

[ScrewMaster]

Human eyes are fine but human reaction time is not. A breach can occur and be over with in a very short time, given the speed at which processing and communication occur nowadays. By the time your human eyes are even aware that there's a problem, the organization could be severely compromised.

Besides, good security is layered, because each layer exponentially reduces the risk of a successful breach. Assuming that an operating system is safe from attack on a given port just because the system claims the port is "closed" or that there are no active services monitoring that port is foolish. These guys seem like they're trying to make a statement rather than good security. I know, conventional wisdom says that conventional wisdom is often wrong ... but sometimes it's right. I'm sticking with my firewalls, thank you very much.

Re:Nice logic, but

[timeOday]

Not always - one strong defense might be better than the same defense plus a weak one. There's a diluting effect, both technical (because defenses can create more vulnerabilities) but more importantly the human factor, because people only have so much time and attention to devote to these things, to learning them and keeping them up to date.

Working in a bureaucracy, I've found that new rules are either ignored, or obeyed at the expense of attention to old ones. Time, attention, and willingness to comply are limited.

Re:Nice logic, but

[Hatta]

If you have a good security model, the only processes listening will be the ones that need to be accessible. At that point, what good would a firewall do?

Well you could control who the processes can listen to. There's no reason an internal web server should be visible to the entire internet. Or even for publicly accessible sites, if all your customers are in the US it may make good sense to deny connections from say, romania.

Re:Nice logic, but

Nice when a customer usually in US is on vacation or business travel in say, Romania. Non-customer-friendly obscurity.

Re:Nice logic, but

If you have a good security model, the only processes listening will be the ones that need to be accessible. At that point, what good would a firewall do?

Plenty. I have apache servers in their own DMZ, mail servers in their own DMZ, a security R&D free-for-all DMZ and of course the safe office internal network.

The external internet facing interface on the perimiter firewall port forwards web and https to the apache-DMZ and smtp to the mail-DMZ. This firewall is configured such that none of the DMZ's can contact the other or the "internal" network and vice-versa plus the traffic to and from each network is only allowed on their appropriate ports. This firewall also performs flawless prioritisation, bandwidth limiting and spamd blacklisting.

If an apache server is compromised, that server cannot in any way exploit any machine on the other networks, etc. However if I had set these machine up like the story, the apache machines would be running local firewall processes which would likely get MODIFIED by the successful attacker, who would then move on to exploting other machines or even just performing DoS, flooding, etc.

That is the beauty of the perimiter firewall. It is dedicated and has "the final say". This guy thinks fancy network layout with local firewalls on each serving host or DMZ is enough. He is nuts. That may well be doable at a high level of security, but that is no reason to give up the absolute power of the perimiter firewall. I've beeb doing like he has for years, but with the perimiter firewall as the ultimate enforcer.

Security is about layers. This guy thinks it's a good idea to remove the strongest layer, which he considers a crutch. After 10 years on the job, maybe he has gone nuts and needs to retire.

Re:Nice logic, but

[SquadBoy]

Security is like ogres, onions, cake, and parafait.

It's all about layers. Far too often people do perimeter security and call it a day and far too often people argue that if your hosts are hard that you don't need to worry about the perimeter. You need both.

Now granted I didn't rtfa but the summary makes sense in some situations that we have where I work. I maintain 5 firewalls with up to 16 ports each. Most of those are internal and a great many of those firewalls/interfaces could be safely done away with using a model similar to this one. But you would be insane to rip out the perimeter. You would also be insane to ignore your middle. Far too many places do just that. So it's all about balance young grasshopper.

Re:Nice logic, but

[Desert+Raven]

insightful?

OK, first issue. If you run any *significant* services, you have ports that need to be accessible by your machines, but nobody else's. The best example is database servers. My database runs on a separate machine. My webservers need to access it, but NOBODY else does. The database's access control is not enough, I don't even want anyone outside my network to see those ports, let alone try to muck with them.

Second issue. There are always new exploits coming up for the software you *do* have to expose (http, smtp, etc.) Firewalling unneeded ports (both directions) can prevent the exploit from becoming fully realized. Once upon a time, I had a machine get compromised through a web app. The trick is, the next step in it's script was to "phone home", which it could not do, because I don't allow outbound traffic for anything except what I *have* to, and them only on the exact ports and IPs necessary. I got alerted when suspicious outbound traffic was seen on the firewall.

Should you secure your apps? Hell yes. Firewalls can't help you if your allowed apps are insecure.

Should you be foolish enough to think this is as good as or better than a firewall? Um, what were your addresses again?

Re:Nice logic, but

[Dwonis]

The strongest principle in computer security is simplicity. When you get rid of a firewall, you get rid of a level of complexity and a potential vulnerability.

Re:Nice logic, but

[pipacs]

The strongest principle in computer security is simplicity.

True, but read the article. Firewalls are much simpler concept than what the author proposes: three layer architecture, ACLs, tickets, virtualization, strong clients, smart admins etc. etc.

Re:Band-aid

[Badanov]

Firewalls are such a band-aid solution to the problem of unknown processes running on your own computers. The right way to solve the problem of rejecting incoming and outgoing requests is to make it easy to see which processes are accepting and making connections on which port.s

Which is what netstat -at and firewalls do...

Firewalls are needed only for leaky systems

[KiloByte]

In general, firewalls can be compared to a tarpaulin stretched on four sticks above a house. It has an effect only if:

• the roof is leaky
• you want to make your yard free of rain
• you own a number of houses, and want to ensure they will be free of rain even if the houses' caretakers are idiots

In other words, firewalls are of any use only if:

• you're defending a grossly insecure system (Windows?)
• you have unprotected communication on a network
• you want to enforce a policy

The tarp does nothing for a sturdy roof. There is no way to attack bare kernel (ok, ping of death), and firewalls do nothing to protect services which are already visible to the network. And if you want to use the firewall to block off unneeded services, why in the hell are you running them in the first place?

Re:Firewalls are needed only for leaky systems

[That's+Unpossible!]

There is no way to attack bare kernel (ok, ping of death)

OK, so then why did you mention that point if you are going to subsequently shoot it down with one example?

firewalls do nothing to protect services which are already visible to the network

Yes, higher-end firewalls can also scan the traffic on those open ports looking for exploits (ala IDS firewalls).

And if you want to use the firewall to block off unneeded services, why in the hell are you running them in the first place?

Are you serious? I have tons of services running on various servers that I do not want made available to the public, yet need to be available to (a) the other servers behind the firewall, and (b) trusted users that connect over our VPN... which, incidentally, is another function of a good firewall.

The article and your post are pure lunacy. It is not that hard to maintain a firewall, and as long as you plan your internal networking with the assumption that the firewall will not stop a really good hacker, it is just one more layer of security.

Re:Firewalls are needed only for leaky systems

[Master+of+Transhuman]

Apparently the problem for some admins is that firewalls become a security hazard in themselves because they have to be constantly adminned by opening and closing ports for special end user purposes, which tends to introduce configuration errors and security holes. And if they don't do this, they get endless complaints from the end users that they can't access things they need (or think they need) on the Net.

And this also applies to the problem of connecting with business partners, contractors, etc., as well as supporting new apps like Skype.

By dumping the end users on the Net themselves and protecting the servers only, the admins eliminate this problem.

I'd say it remains to be seen if completely dumping the firewall is feasible, since the article doesn't address whether they've survived SIGNIFICANT hacker attacks using this model. THAT is the real test.

part of a larger security solution

[eth00]

Firewalls are still important in the entire security model. I do a lot of working on shared servers that host websites and have found a firewall can stop a lot of headaches. When some users script gets compromised and a script kiddies goes to send out a DOS of some sort the firewall can block it. I have found that the firewall is more important for exgress monitoring for this type of market but it is very valuable.

While it is true people have the wrong image of a firewall they are still very useful when used correctly. Security is not just a single thing you do to a system but many different layers and the firewall plays into that field. It is also a lot easier to just block some script kiddie at a firewall if they keep trying to brute force a server. I think I am going to keep my firewall for a little longer :)

Seems overkill...

[MrDomino]

The post proposes a pretty novel solution---maintain separate hosts for each server---but it seems really inefficient. I mean, Xen as I understand it will run full operating systems in each of its virtual domains, including separate kernels and whatever else the system needs running.

Why not just work with chroot jails? They accomplish the same thing---keeping things isolated from dangerous interaction with the rest of the system---but without the ridiculous performance overhead of running entire and discrete systems for each service provided.

Defense in depth.

[!ramirez]

This concept can largely be summed up as 'defense in depth'. You use multiple layers to defend that which you value the most.

Saying 'I have secured my OS, I no longer need a firewall' is like saying 'I have an airbag, thus I do not need this seatbelt'. One complements the other.

Re:Band-aid

[Ingolfke]

You're looking at this from a server perspective. It's quite possible you don't want certain traffic on your NETWORK. I don't want people scanning my networks.

Too smart for their own good

[lheal]

As a previous poster said, why not do both?

They've taken a nugget of insight, that the reliance on a firewall can make you sloppy, and built a whole mountain of security policy on it. Trouble is, that's upside down architecture.

Good security is about building up as many layers as you can that are easier on you than on your attacker. The goal isn't to be impenetrable, it's to look like too much work so the attacker goes away.

We have a firewall so that we CAN be a little sloppy inside if needed. It's the balance between security and usability. It doesn't mean you rely solely on the firewall. It means that the "firewall", which you should treat more like a window screen, is just another layer of defense.

And when everyone else has a firewall, your unfirewalled network stands out like a house with no window screens.

There is another big picture here, too. If everyone has a firewall, having one doesn't make you look like you've got something to hide. If only 1% of networks were protected, then your firewall makes you look suspicious.

So thanks, but quit telling people they shouldn't use a firewall. Some of them might take your advice.

This is better?

[Transcendent]

Meanwhile, the clients sit in the clear. We protect them by boosting their immunity levels so that they can exist in harsher conditions. They run secure OSs, fully patched with current anti-virus protection. We assign each user a central identity, which is authenticated and validated before accessing the internal DMZ. We use central directories to manage identity privileges and PKI certificates. Existing systems, such as Active Directory, allow for low-cost private certificate authorities where PKI isn't well-established. We also log and monitor the activity and enforce acceptable application behavior.

Sounds like a pain in the ass to me...

Frankly, there's too many damn buzzwords.

Why Choose?

[Doc+Ruby]

Do both. Eliminating their firewall was just the motivation to do more comprehensive security work. That motivation should come from IT management, and self-interest in preparing a manageable system, rather than fighting fires. Every insecure part of a system should be secured. A firewall has a unique role in providing a good amount of cover for an entire organization for its cost. Especially valuable when making changes to security configurations, which might temporarily expose resources in the transition.

Multiple layers

[Digital+Pizza]

OK, I haven't read the article (I'm on Slashdot, after all), so maybe I misunderstood the article post (they are often misleading). What the hell is wrong with having multiple layers of security? That's what's been preached for years now, and it makes sense,

Of course one should strive for having one's servers secure enough to stand on their own in case someone breaks through the firewall, and also because attacks can come from within. You don't need to remove your firewall to do that, however; use your imagination! What happenes if there's a flaw in the server's built in security? Bugs have been known to happen. Paranoia becomes a wonderful trait when you're dealing with network securiity.

So a firewall is that much extra work; boo hoo!

IP address wastage

[whoever57]

Unless we all move to IPv6, his proposal cannot be widely implemented, since it appears to do away with NAT and hence all "clients" must have their own routable IP address.

Re:I don't run a firewall

[ravenspear]

That is a rather bold statement. Have any evidence to back it up?

I can think of a few instances where you would still be vulnerable without a firewall, like if there was an exploit discovered in the network stack of the OS.

What has you chained to your firewall?

[the_quark]

Two words: Regulatory Compliance. Thanks to standards like CISP (the Visa security standard) and SAS-70 (the accounting standard), HIPPA (the medical privacy standard), firewalls are mandated for many US businesses, even small ones.

At my last company, we didn't have a firewall on the website, because my philosophy was "I'm running port scanning to make sure 22, 80 and 443 are the only ports listening on the boxes - why should I put a firewall in front of it to only let those ports through?"

Unfortunately, now, if you don't have a firewall, you're not in compliance. It's simply a cost of doing business - the security concerns are completely irellevent.

Obviously, you should be building your networks so they would work without firewalls - that's a lot more secure. But, unfortunately, you can't just throw the firewalls out even if you don't need them.

Does SANE support the Scanmaker 4850 yet?

[tepples]

And if you have processes running and listening on ports that you don't want or need, why are you running them?

Because the operating system that you run is incapable of turning them off, and no other operating system is compatible with a mission-critical application or hardware device?

Re:Does SANE support the Scanmaker 4850 yet?

[jacksonj04]

Oh for mod points.

Also, firewalls are good for if you have networks which need to do a lot of internal talking on potentially hazardous ports, but don't want the rest of the world to talk on those ports. Think big application platforms.

Re:He's only giving up the border firewall...

[Master+of+Transhuman]

The "harm" is described in the article:

"Perimeter security was originally intended to allow us to operate with the confidence that our information and content wouldn't be stolen or otherwise abused. Instead, the firewall has slowed down application deployment, limiting our choice of applications and increasing our stress.

To make matters worse, we constantly heard that something was safe because it was inside our network. Who thinks that the bad guys are outside the firewall and the good guys are in? A myriad of applications, from Web-based mail to IM to VoIP, can now tunnel through or bypass the firewall. At the same time, new organizational models embrace a variety of visitors, including contractors and partners, into our networks. Nevertheless, the perimeter is still seen as a defense that keeps out bad behavior. Taking that crutch away has forced us to rethink our security model."

I can see the point. However, as always,YMMV. If you can't devote the resources to doing decent monitoring of your applications and servers, and keeping the workstations patched, then you might need a perimeter firewall.

The point of the article is that a perimeter firewall - a "moat mentality" - leads to lax security on the internal network. And it's NOT "cheap insurance" because it requires much more maintenance to secure an entire perimeter of thousands of workstations AND still provide Net access to those systems (and visitors) than it does to secure an inner ring of a few hundred servers and to treat EVERYBODY outside that ring as a threat - including your own users.

Re:Band-aid

[Golden_Eternity]

Firewalls have nothing to do with processes running on computers. They are for filtering network packets. What the poster is referring to is blocking off network traffic to those unknown processes. As an example, ZoneAlarm on a windows desktop... You may not realize the software that is running in the background trying to make outbound connections, but the firewall will catch those connections.

Or on the unix world, if you set up a default deny policy and only allow traffic to specific daemons, then if a new process starts unexpectedly, then you don't have to worry about unwanted connections to it.

If all you're doing is running a couple services that you want the world to be able to access, then yes, a firewall is just a bandaid against the potential for unknown processes running on the system.

Re:Address translation

[JamesTRexx]

Not only that, the firewall I use doesn't only do NAT for the machines inside, but it seperates my network into the regular internal network, DMZ, and the wireless network, making sure traffic like http, smtp, ftp goes from the outside to the right server inside, but also keeps unwanted traffic going from one internal network to the other.
If you only have one public ip address but more than one (virtual) server, you need a firewall or router.