Firewalls sometimes do more harm than good.
When it comes to large, Internet-facing servers, network firewalls add an unnecessary failure point. IT and security managers have leaned on stateful packet-filtering and proxy firewalls
Just because you don't have a firewall in front of a server doesn't mean you can't control system access.
Believe it or not, it is possible to improve reliability and strengthen network and host security by turning off a firewall. In this tip, we'll offer three pointers that explain why it can be beneficial to live life without a firewall and help ease the transition in your organization.
'No firewall' doesn't mean 'no control'
Just because you don't have a firewall in front of a server doesn't mean you can't control system access; simpler and more reliable technologies -- such as router access lists and the host-based, built-in packet filters that are included as part of every modern operating system -- can still offer ample control. Edge routers are perfectly good at discarding unwanted packets and can do so without the overhead of a firewall. If a server is only listening on port 443, then that's the only port that should be open on the edge router and accessible through the server's own firewall.
Just as important and effective is using edge routers to control outbound connections. A compromised host must talk to someone to be used and useful, and if the host can't make an outbound connection, then an attacker's hands will be tied. An Internet-exposed server should be able to talk DNS and NTP protocols to an internal server, download patches from an internal patch repository and perhaps send logs off to an internal log server. When it comes to outbound services, that's about it. Even if your organization can't yet accept the idea of getting rid of your standard network firewall, you should still lock down outbound connections on that firewall.
Hosts can stand on their own two feet
That is, if they had feet, which they don't -- but you get the point. Firewalls can serve many purposes, and one of the main goals of today's firewalls is compensating for weak or poorly understood host security. Rather than secure the host, many system managers are happy to hide a system behind an Internet firewall, believing that a stateful firewall will protect them from serious threats. Sorry, that won't work. It's only one step better than "security through obscurity."
It's time for system managers to get serious about understanding their own host-security mechanisms and enable built-in barriers so that they're confident that their servers aren't waiting to be pushed over by the first serious attacker to show up -- inside the organizational LAN or from the Internet. Every modern operating system has some way of controlling access just waiting to be configured. Remember that the closer you are to the information you're trying to protect, the easier the job is.
Treat your data right and it won't let you down
Losing control of a host is an annoyance, like finding graffiti on your front door. Having adversaries walk into your house, or network, and steal your data is a much bigger deal. With or without a firewall, hosts can be compromised. Make sure that important information isn't floating around waiting to be taken.
To do this, employ controls that are suited for data protection: encryption, data masking, archiving and even purging temporary files on a disciplined schedule. These can all reduce the organizational risk from a compromised host. If there's nothing important to steal, or if what is stolen is useless to the thief, you're less likely to end up making headlines or making a breach disclosure. At the same time, properly segregate duties and privileges of system and application management to minimize insider risk. System and network administrators don't need to have access to critical corporate data, and application owners don't need to also be operating system administrators -- a lesson the National Security Agency just learned from its former system administrator, Edward Snowden.
About the author:
Joel Snyder is a senior partner with consulting firm Opus One in Tucson, Ariz. He has worked in IT for more than 25 years.
This was first published in June 2013