Skip to main content

Advancing Firewall Evils to 10-Tuple

November 04, 2014

This blog is a part of FireMon's "Future of the Firewall" series. Read more at firemon.com.

When I first started working with firewalls some 18-odd years ago, the revolution of “stateful inspection” was just starting to take hold. The explosion of Internet bandwidth (laughable now) to DS3-type speeds was driving everyone away from the proxy solutions they had in place to this awesome new security device.

All firewalling concepts were geared to the 5-tuple, situating the firewall firmly in the L4 space, but even then the market leaders defied that definition. Anyone that tried to pass active FTP without the properly CRLF formatting in the command channel was painfully aware of just how far up the stack the “L4 firewall” could go.

Of course, back then you made a good living knowing how to turn those security features off (probably not selectively) so you could make the network work again. Now, we’re all trying to figure out how to program the network properly so we can exert control over the 10-tuple, which eliminates the need for stateful inspection, right?

The answer to the question requires some thought regarding basic concepts. I start with wondering: “Why does the network exist? What’s its purpose?” For me, the answer is that the network provides nothing in and of itself, it exists to supply services to users of those services. With that in mind, we can start by wondering just what it is the firewall does for us.

Some past thought patterns would be, the firewall:

  • Stops users from consuming unauthorized services (SSH, for example) – which seems like something the service should do, right? If my network can manage flows, why can’t my service manage who consumes those services?
  • Prevents bad actors from exploiting misconfigurations and vulnerabilities on the network and overlying services – but isn’t the network intelligent enough to protect itself and the services that ride on top of it?

For me those are all good reasons for the existence of the firewall, but not quite succinct enough. I think the firewall exists to manage and filter what would otherwise be (or has been) unmanageable.

There’s always been a “better way” to secure your services: fix your vulnerabilities and deploy host or service-based security. But how is that working out at the enterprise scale? The firewall has always been a necessary evil. Should we need it? No. Must we have it? Yes.

In conclusion, I don’t think the firewall is going away. Rather, it will be something different than what we know today.

It may not be a network device, rather than something that exerts control over the network. It may even have a different name and we may even be able to discard our “burning brick wall” icons. It must have certain features that give it modern relevance – identity management/enforcement, service awareness, but that whole line of thought is a blog post in and of itself.

It is a point of trusted enforcement in our network – a necessary evil – that we will continue to rely on as part of our “next-next generation” security environment.

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

January 25, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 1)

SSL inspection is the process of “proxying” a SSL session in order to decrypt the traffic and monitor/inspect it against various controls. Network tra...

See Details

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related insights

April 02, 2010

Enterprise Management - Network Security Threats | Optiv

I visit lots of customer sites each year and see many security-related commonalities amongst them. At the top of this list, from a network security pe...

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

February 22, 2016

Local Government Agency Securely Integrates Data Across Consolidated Departments; Increases Protection and Compliance

Read about how Optiv helped build out a secure infrastructure and enforce new security policies.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.