🧱Firewall Carpet Bombing is Bad for your Business💣
Why firewalls alone can't protect your business
Driving SD-WAN Adoption in South Africa
Firewalls are simplistic security devices that have been around since the start of the Internet. They are a necessary component in an overall solution but not the definitive answer to information security problems. They have a minimalist set of features:
Network Address Translation (NAT);
Port forwarding; and
They service a very functional informational security requirement but they are not a silver bullet. They often don't stop ransomware, no matter what the salesman says... Along the way firewalls have had a number of bolt-ons to make them more sexy. Unified Threat Management (UTM) is one of them. Nothing more than a rehash of file signature scanning from the nineties but applied to network flows! As useful as an umbrella in a tornado.
A common deployment is to have firewalls deployed at every branch in a business. This strategy is non-optimal because:
The branches end up with a cheaper firewall that cannot handle a sustained cyber attack;
Any additional feature sets brings the firewall to its knees;
The overall business attack surface has been amplified, which is never a good thing;
The solution is reliant on humans who are the most common point of failure;
Traffic optimization is problematic or non-existent; and
Certain protocols are difficult and not compatible with the selected firewall.
In any business you only need one firewall. Using a large number does not change the security profile and if anything lowers it due to complexity. A massive box with enough horse power to sustain any traffic load, feature set or attack. Well, to err on the side of caution, you would need two where the second one is your backup. In this model, the branches are connected to the central firewall via a secure software defined wide area network (SD-WAN). This is far more optimal than the firewall carpet bombing method. The best use of budget is to take all the money you would have spend on all those inefficient branch firewalls and invest it in the central kick ass firewall.
To often businesses invest in security solutions where it is overridden by the dreaded any any rule when things break. Any network engineer will always refuse to admit that they have bypassed the firewall in this manner, but I'll bet my Eddy Merckx it has happened in a significant majority of business networks.
Tip: The best mechanism to kick ransomware in the pants is to use a filtered DNS service on your central firewall. An example is Quad9. This kills a significant ability of an attack's command and control.
Ronald Bartels is not a fan of firewall carpet bombing or the regime of renaming firewall VPN solutions to magically become SD-WAN. You can message him on LinkedIn to discuss and engage on SD-WAN solutions.
