Nov 4, 2014

The 4 Biggest Misconceptions about Firewalls Everyone Believes

misconceptions01It’s true; the internet really is out to get you.  Everything from compromised hosts to foreign intelligence agencies are probing the internet for weaknesses.  It’s important, especially in light of recent events like the POODLE, Sandworm, Shellshock and Heartbleed exploits, to keep your servers up to date and patched.  However, it is equally important to invest in your own peace of mind and security by protecting your servers with a hardware firewall.

Firewalls tend to be a little misunderstood, so to remedy that issue, let’s tackle the four biggest misconceptions about firewalls and lay them to rest.

misconceptions02Misconception 1: A firewall will prevent your server from being hacked.

If configured correctly, a firewall can certainly prevent traffic from reaching say, the SSH port on your servers. But it cannot prevent someone from brute forcing a login (which is why having the most secure password you can is important).  Similarly, it would not prevent someone from executing a Joomla exploit or something like the recent Heartbleed fiasco.

misconceptions03Misconception 2: A firewall will protect against bad code.

A classic example of a way to compromise a server is referred to as a ‘SQL injection attack’.  In cases where applications are written in a specific way, it’s possible for an attacker to execute arbitrary SQL commands against a database, and a firewall won’t be able to help.

This is because of the way traffic on the internet is structured.  Think of a packet like a multi-layer cake, with the firewall only able to view the first few layers.  Attacks of this type occur at layers past what the firewall can ‘see’.

misconceptions04Misconception 3: A firewall will protect you against Denial of Service (DoS) attacks. 

DoSs of yesteryear were relatively easy to mitigate due to their size. However, with the number of compromised hosts on the internet and the advent of ‘bot controllers,’ hundreds or thousands of hosts can be used to launch attacks many gigabits per second in size. In March of 2013, one company was targeted with a DoS that tipped the scales at 300 gigabits per second. No hardware firewall is capable to standing up against a fusillade of that size.

misconceptions05Misconception 4: A firewall will provide absolute security.

No single application or appliance can guarantee perfect security, and that applies to firewalls as well.  There is no magic bullet when it comes to protecting your servers – defense in-depth is the name of the game.

Now that we’ve seen what a firewall can’t do, what CAN they do?  After reading the last section, you might be inclined to think that a firewall isn’t really worth having, but they provide some key components of server security.

1. A firewall provides a first line of defense and offloads the security posture from your servers.

I don’t know about you, but my servers have enough to do without also having to act as their own perimeter fence.  The internet is inherently a dangerous place, and a hardware firewall acts as your first line of defense against some of that background noise.  With a hardware firewall blocking ports that shouldn’t be exposed to the public, it also takes the burden of processing that traffic off of the servers, freeing them up to do what they’re there to do.

2. A firewall provides a single point of control for inbound traffic.

Whenever you do anything related to your security posture, it’s important to think about how scalable it is. Managing software firewall rules for one server is easy enough, but does that scale easily to ten servers? Twenty? Not really.

Software firewalls are great if the configuration is static.  In real life however, there are changes coming as partners come and go, new offices are opened, et cetera.  A hardware firewall gives you a single point of control, and at Codero, your firewall will be completely managed for you by security experts.

3. A firewall allows the creation of VPNs.

Earlier, I mentioned an attacker brute forcing an SSH login.  So why expose SSH to the internet at all?  Both remote access (for individuals) and site-to-site VPNs (for offices or partners) allow you to disable things like SSH or RDP access on the public internet, and only allow such connections over the cryptographic tunnel a VPN provides.

Additionally, you may have a need to connect your environment to another company for things like credit card transactions or other communications where security is important.  Allow me to pause briefly to don my nerd glasses before continuing (those with a distaste for math, please join me two paragraphs down).

The security in VPNs lies in the fact that at present, it’s very computationally expensive to factor large numbers.  Under the hood, IPSec (the heart and soul of VPNs) really boils down to two very large numbers (numbers divisible only by one and themselves).  By ‘very large’ I mean upwards to 1,000 bits; for comparison, the largest 32-bit number is 4,294,967,295.  These numbers are involved in calculating the cryptographic key for the tunnel.  With the size of keys that are used, if you were to try a trillion trillion keys per second it would still take you more time than the sun has left to burn.

So – what’s the take-away here?  Security is not a ‘thing’ – you don’t install the latest version of security and walk away.  Security is a very fluid concept requiring constant vigilance and careful thought.  Not once have I caught myself saying “You know, that server is entirely too secure” – adding a firewall to your severs adds one more layer, and each layer counts.


Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedIn