KuppingerCole Report
Advisory Note
By Paul Simmonds

Firewalls Are Dead - How to Build a Resilient, Defendable Network

The firewall is dead – long live the firewall.... In today’s modern business the traditional firewall model, sitting at the corporate perimeter, has little value, and more often than not hinders business agility. In building a modern, resilient and defendable network the firewall may have a part to play, by using it in a role where it is actually able to be effective.
By Paul Simmonds
ps@kuppingercole.com

1 Management Summary

If it is the goal of information security to enable the business as well as protect it, then the traditional network model of an insecure outside (the ...

Instead we need to re-purpose the firewall, moving from one perimeter to many micro-perimeters, using one tool to centrally provide a consistent view ...

Login Free 30-day Select Access Get full Access

2 Highlights

  • A traditional 1990’s secure internal network protected from the Internet by a firewall is obsolete
    • It is easily exploited by adversaries
    • It for ...
Login Free 30-day Select Access Get full Access

3 Why firewalls are dead?

To understand why firewalls are dead, you first need to understand the function of a traditional firewall. It has been said that a firewall is just a ...

Login Free 30-day Select Access Get full Access

3.1 Modern exploits bypass firewalls

Criminals, hackers, organised crime and state agencies expect a firewall and understand it limitations. Modern exploits use spear-phishing (targeted m ...

Login Free 30-day Select Access Get full Access

3.2 Rules on a firewall are un-manageable

A typical corporate border firewall has in excess of 2500 rules; and while a few may be well managed, for most the rules are undocumented, lost in the ...

Login Free 30-day Select Access Get full Access

3.3 The network already extends outside your perimeter

In a typical organisation, where over 80% of end-point devices are laptops, it could be argued that the majority of the organisation’s data is alrea ...

Login Free 30-day Select Access Get full Access

3.4 Encryption defeats a firewall

One of the original benefits for a firewall was its ability to perform deep packet inspection2 on traffic flowing through it and apply rules as a re ...

Login Free 30-day Select Access Get full Access

3.5 Everything uses ports 80 & 443

Well not everything, it just seems like it! Port 80 (HTTP) and port 443 (HTTPS) are the two web ports that need to be open in any business. Software v ...

Login Free 30-day Select Access Get full Access

3.6 Logging and Monitoring

Modern networks are designed to segment traffic so it only goes where it needs to and does not clog up other parts of the network. Now combine that w ...

Login Free 30-day Select Access Get full Access

4 Building a resilient, defendable network

Building a resilient, defendable network requires a good understanding on what you are protecting. This generally falls into two areas, data and contr ...

Login Free 30-day Select Access Get full Access

4.1 A strategic approach to control systems

Within control systems, there are two different approaches that should be considered when protecting that system, dependant on whether the control sys ...

Login Free 30-day Select Access Get full Access

4.1.1 Core control system

An example would be a reactor plant, where the reactor and its associated control systems are core, and everything else is working to support the reac ...

Login Free 30-day Select Access Get full Access

4.1.2 Non-core control systems

An example of a non-core plant system would be a section of network with Programmable Logic Controllers driving a production (Plant) system. Originall ...

The example shown is a specific example of micro-perimeterisation (see 4.6) used to overcome the inability of an Industrial Control Systems to inheren ...

Login Free 30-day Select Access Get full Access

4.2 A strategic approach to Data

Data is the lifeblood of any company, and should be protected, but must be capable of flowing to wherever it is legitimately required. To achieve a se ...

Login Free 30-day Select Access Get full Access

4.3 Architectural models

The architectural solutions should be chosen to support the data strategy and the aim should be to ensure the solution works (preferably invisibly for ...

Login Free 30-day Select Access Get full Access

4.4 System Hardening

All systems should be hardened. Where a system cannot natively be sufficiently hardened then either additional security software or a security device ...

Login Free 30-day Select Access Get full Access

4.5 Application Hardening

Even with a hardened system, the applications on the system will still pose vulnerabilities; and must be kept patched and up to date. Understanding an ...

Login Free 30-day Select Access Get full Access

4.6 Micro-perimeterisation

Micro-perimeterisation refers to moving the perimeter as close to the data as possible (and ultimately to the data itself). With micro-perimeterisatio ...

For example; a Web server could be protected with a Web Application Firewall (WAF) while a general purpose Windows file server could be protected with ...

Login Free 30-day Select Access Get full Access

4.7 Inherently Secure Protocols

The working assumption on any large network should be that some devices are compromised and that all communications are being monitored and intercepte ...

Login Free 30-day Select Access Get full Access

4.8 Encryption

By default, “data must be appropriately secured when stored, in transit, and in use”15 and to achieve this any data strategy should deliver solution ...

Login Free 30-day Select Access Get full Access

4.9 Identity

Identity should be a core component in building a resilient, defendable network. Where possible, all access should be strongly authenticated for ever ...

Login Free 30-day Select Access Get full Access

4.10 VLAN’s

Virtual LANs should be avoided as a security tool. VLANs were designed to be able to segregate traffic, and apply different Quality-of-Service (QoS) t ...

Login Free 30-day Select Access Get full Access

4.11 Anomaly monitoring & detection

Monitoring the network for anomalies is difficult (but not impossible) in the modern network and must be the combination of multiple sources of inform ...

Login Free 30-day Select Access Get full Access

4.12 Data Centres / DMZ

Data Centres are a specific case for micro-perimeterisation; with the need to understand the data flows and access requirements into and out of each s ...

Login Free 30-day Select Access Get full Access

4.13 Insecure Office networks

There is a good argument to be made for treating an office network as un-trusted, and moving the security and network controls to the resources those ...

Login Free 30-day Select Access Get full Access

4.14 Inland Networks

Notwithstanding the comments above, there will be cases where a high security internal network will be required. Examples are a Financial Trading Floo ...

Login Free 30-day Select Access Get full Access

4.15 Firewall management

With a set of distributed firewalls having a single tool that allows a holistic view of how the firewalls are configured allows a better understanding ...

Login Free 30-day Select Access Get full Access

5 Recommendations

Implementing a successful security strategy that leverages firewalls and network protection requires a strategic approach based around the following s ...

Login Free 30-day Select Access Get full Access

5.1 Map and understand where the data needs to flow

For a successful network strategy to be implemented you need a matching security strategy, both driven by mapping an organisations data flow. This tra ...

Login Free 30-day Select Access Get full Access

5.2 Take a strategic view of data & systems security

Once the data flow within an organisation is understood, then a security and network strategy can be derived. The primary aim of any strategy should b ...

Login Free 30-day Select Access Get full Access

5.3 Retain firewalls where they do some good

For an organisation that maintains a global Wide Area Network (WAN), usually at significant expense, it is important that the WAN and associated site ...

Login Free 30-day Select Access Get full Access

5.4 Stop protecting areas where the battle is not worth winning

For many organisations, having a single standard for protecting the entire “internal” network is a complete waste of time, money and resources; it ...

Login Free 30-day Select Access Get full Access

5.5 Protect what is of value

Most of the data in an organisation is of low value, from last week’s stock exchange announcements to today’s restaurant menu; some put this figur ...

Login Free 30-day Select Access Get full Access

5.6 Visibility is key

Having a single tool that allows a holistic view of how your firewalls are configured allows a better understanding of where data can flow, and under ...

Login Free 30-day Select Access Get full Access

5.7 Leverage encryption & identity to replace network security

By moving protection from the network to the protocol and data layers means that data can move more freely throughout the network and potentially dire ...

Login Free 30-day Select Access Get full Access

6 Conclusion

Most of today’s networks are a legacy architecture from the 1990’s; the outside insecure (the Internet) with a firewall protecting the secure inte ...

Login Free 30-day Select Access Get full Access

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top