Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security-vendor snake oil: 7 promises that don't deliver

Roger A. Grimes | May 14, 2014
Beware bold promises from a multibillion-dollar industry that can't prevent your IT systems from being routinely hacked

Security snake oil No. 5: Firewalls
I spend part of my professional career telling people to make sure they use firewalls. If you don't have one, I'll probably write up an audit finding. But the truth is that firewalls (traditional or advanced) rarely protect us against anything.

Firewalls block unauthorized traffic from vulnerable, exploitable listening services. Today, we don't have that many vulnerable services or truly remote attacks. We do get and have vulnerable services, such as the recent OpenSSL Heartbleed vulnerability, but even most of those attacks would not have been stopped by a firewall.

The websites using OpenSSL already opened the ports that OpenSSL needed to function. The vulnerable version of OpenSSL was available for any knowledgeable attacker to compromise. Today, most attacks (and I mean 99.99 percent) are application-layer attacks that require user involvement to succeed. Once the user is tricked into running something, the malicious program executes in the user's computer's memory, and the firewall can't help. The badness scoots past the firewall on allowed ports and executes on the user's desktop.

Firewalls can help only if they prevent attacks against blocked ports. But everyone allows port 80 and 443 into their networks, and those are the two ports that most successful attacks will target. You can't block them because it would bring business to a halt.

Don't believe me? When is the last time you thought, "Wow, if I had just had a firewall enabled, I wouldn't have been successfully attacked"? I'll give you full credit if you can even remember the year.

A lot of firewall vendors already know my personal feelings, and they will often tell me that the problem is only with "traditional" firewalls and that their "advanced" firewall solves the problem. Their advanced firewall is always an application proxy or filter that includes an anti-virus scanner or IDS capabilities. See above. If advanced firewalls worked, we'd all be running them, and our hacker problems would be over.

Security snake oil No. 6: Redundancy
The oft-forgotten third word of the information-security acronym CIA is availability (the other two are confidentiality and integrity). As a concept, availability makes for great sales pitches. The reality, however, is that availability is more snake oil than we might like to admit.

Availability, and its sibling redundancy, drives a significant amount of hardware sales. These days, we have redundant power supplies, redundant hard drives, even redundant motherboards and CPUs. Before redundancy became a thing, I never needed the second unit. It's almost as if vendors give us components they know will fail.

I have a computer that's been running on the same hard drive, motherboard, and power supply for more than 20 years. Never had a problem. I don't even clean out all the dust. But I rarely buy a $100K server or appliance with redundant everything that I don't end up having problems with.


Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.