Networking

10:30 AM
Adam Ely
Adam Ely
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Stupid Firewall Tricks

Firewalls have a bad reputation in many organizations, but it's not always the firewall's fault. Often, organizations use firewalls in places where they aren't really needed. For example, common practice dictates that we should place firewalls with stateful packet inspection enabled in front of Web servers. But does this really make any sense? Why perform stateful packet inspection on a stateless protocol? Why use a firewall in front of Web property when 99 percent of the requests are allowed?

Firewalls have a bad reputation in many organizations, but it's not always the firewall's fault. Often, organizations use firewalls in places where they aren't really needed. For example, common practice dictates that we should place firewalls with stateful packet inspection enabled in front of Web servers. But does this really make any sense? Why perform stateful packet inspection on a stateless protocol?  Why use a firewall in front of Web property when 99 percent of the requests are allowed? This only piles on another device that could fail, another device to add latency, and another device to architect around.

Most companies with a sizable Web presence use edge routers, firewalls and load balancers. I advocate removing the firewall in this configuration. Instead, apply an access control list to the edge router, configure the load balancer to reject direct traffic and ensure the management interface is only accessible from the internal side. Then let the traffic flow faster.

Ask any network admin at any large Web property and they will tell you this is how they have set up their network. So why haven't the rest of us? Why are we dealing with firewall performance issues and configuration nightmares where we don't need to? If you're worried about DDoS attacks, mitigate at the edge or upstream at the ISP. If you're worried about Web application vulnerabilities, use a purpose-built product

I don't advocate the removal of firewalls everywhere. They are still vital and can perform critical functions, such as VPN termination and application-level security or packet inspection, though we could and should question if the firewall is the best place to do either of these tasks. Firewalls should be placed between the external and internal and between the internal and the highly valuable. Use them where the majority of traffic should be blocked, not the other way around.

Placing a firewall where it isn't needed can give organizations a false sense of security, which can be just as bad as having no security at all. Unnecessary firewall deployments also create needless operational burdens and add to network complexity. IT and security teams can make their lives easier if they stop trying to make firewalls do stupid tricks.

Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio
Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed