Reconsider Your Firewall Purchase
I'm Max Clark. This is 20 minutes max, and I'm gonna talk about firewalls. So I've been doing this for a while, about 25 years, And I'm willing to bet that 99 point, I don't know, 12 nines worth of firewalls that I've ever encountered in my life have been configured basically the same, which is, you know, a NAT rule. Actually, let's be really specific here because, otherwise, I'm gonna get attacked by some turbo nerds. I can have a port address translation rule providing inbound IP address, inbound private IP space access to the Internet via public IP.
Speaker 1:Right? So it's pat not nat because nat is a one to one translation versus pat, which is a, you know, poor translation. Okay. Anyways, we'll we'll just call it NAT, not to be too geeky here. And you have some rules.
Speaker 1:You have some NAT rules that say, like, hey. I have a I have a server on the inside. Here's its IP address, the private IP address. Here's a public IP address that I want it to have, and these are the services I want to enable. Right?
Speaker 1:I need to allow, SMTP or IMAP or HTTPS or whatever it actually is. Right? And all your policies and your rules end up on your outside interface, allowing traffic to your in inside. And now when I say, like, almost a 100% of all firewalls are configured the same way because there's not gonna be rules or configuration limiting traffic outbound. It's very rare to see a firewall that limits rules outbound.
Speaker 1:And this is why when we get into data center applications, with the overall majority of data centers that we touch and have touched over the years, the idea of putting a really big expensive, you know, OEM brand name firewall in place doesn't make any sense because it's not actually doing anything for you. Usually, it's not even doing that, you know, because you're using public IPs for your actual server, you know, servers themselves in the data center. So once you get to that point, you're not doing that for, you know, private IP space to a public IP space. Your switch or your router, ECLs is doing the same thing can do the same thing that your firewall can do. And you're gonna say, okay.
Speaker 1:Well, there's more stuff the firewall can do. Yeah. There's more stuff the firewall can do. It can do VPNs, but, like, you know, you can you can deal with that other ways. Or you can say, okay.
Speaker 1:Hey. You know, I've got this really fancy firewall that I wanna deploy because it's gonna do UTM and DPI for me. And I'm gonna let you know a big secret here, which is most of the time that's complete garbage and you're gonna turn it off. It's it's a pretty common universal experience for somebody to decide to enable UTM or DPI or UTM and DPI. And, you know, so threat management and deep packet inspection.
Speaker 1:So you're gonna click the box, and you're gonna enable UTM and DPI on the firewall, and you're gonna go to, like, holy smokes. Our network went from being really fast to everything sucks now. Why does everything suck? It's like, oh, I clicked this box to run everything through the firewall engine and inspect it, and now it got really slow. What am I actually getting out of it?
Speaker 1:And usually, the answer is you're getting nothing out of it. Because almost everything that you're doing today has some sort of SSL wrapper encryption on top of it. And the firewall is not gonna do a man in the middle attack and try to, you know, de encrypt, you know, like, again, man in the middle attack, like, hijack the SSL session on itself, and then actually look at what traffic is passing through it and figure out what the heck is going on. You know, there are some that do that, but, you know, again, 99 out of a 100 times or 9 or 99 out of a 1000 times, they don't. UTM and DPI get turned on, and they get turned off.
Speaker 1:Right? So now what you've got is you've got a box that is providing a very basic policy engine to do inbound NAT. So for, you know, again, some kind of server or equipment, you know, on the premise inside the firewall in public private IP space to a public IP address. Let's say you don't have that because, you know, it's 2023 when I'm you know, it's May 1, 2023 actually. We'll be really specific here.
Speaker 1:And, you know, if I you're doing your job right at this point, you've got a metric boatload of SaaS applications. You've got, 365 or Google Workspace using Google Drive or OneDrive and SharePoint. So you got you don't have a file server on-site anymore. You're not doing FTP on-site anymore. You're using, you know, some sort of some sort of UCaaS service or no CAS for your voice because you decided just to deploy everything on your cell phones.
Speaker 1:So there's no voice infrastructure on-site. You've got literally nothing on premise. Right? You know, I got a client tell me this 10 years ago. He looked at his office as, like, fancy Starbucks.
Speaker 1:You know, people have to come in, sit down at the desk, and work. There's nothing there. We're just trying to make sure it's really fast, and they really like coming to the office because it's convenient. You know, as soon as you kind of make that mental, you know, leap, right, now you get into a situation where you're saying, okay. I'm providing really fast Internet access.
Speaker 1:I don't have any really I don't have any application infrastructure on my premise. I'm not using UTM or DPI. And then you get to the next step of this, which becomes, well, why am I spending a lot of money on a firewall? That's a really good question. As soon as you make that kind of as soon as you connect those two dots, it gets very interesting, and things start opening up for you.
Speaker 1:And so the first one is is, you know, when you look at firewall brands, you know, there is a reason why you want to run Meraki, for instance, and Meraki MXs and their switches, their MS switches and their APs. You know, and you pay up and you pay a premium. Maybe you decide you wanna run Fortinet end to end. By the way, a little weird data point. Overwhelming majority of the service providers and MSS appears in the market that provide Fortinet firewalls, the Fortinet firewall product, run Meraki switches and access points and not the Fortinet switches and access points.
Speaker 1:I am waiting for that to change. But as of today, May 1, 2023, that is still the case. You know, use that data pen for what you what you will, you know, observation that that I'm sharing here from experience. You know, what else you say? You can go Palo.
Speaker 1:You know, people wanna buy Palo firewalls, and they put Meraki switches behind them usually. Expensive, fancy firewall product. Could be using Palo Prisma because you want Prisma access for your remote access. Maybe you've enabled you've checked the box for UTM and DPI or maybe you haven't. Now what is the relative value of any of those brands versus somebody like Ubiquiti?
Speaker 1:And Ubiquiti kind of fits in this prosumer category. Dirt cheap equipment. I mean, if you've ever priced, Meraki access point at a $100 versus a sorry. Meraki. Ubiquiti access point at a $100 versus, you know, a ruckus, Aruba, Meraki, for any of these other players, 600 to a $1,000.
Speaker 1:You might be in an environment where, you know, you need things that the more expensive access point does, or you could be an environment that doesn't. Whatever what are the reasons? Density. Density is probably the biggest one. Right?
Speaker 1:You need really sophisticated network access controls, another one. You have a lot of you have a lot a lot of devices you're trying to centrally manage. That could be a that could be a reason. You know, there's there's lots of stuff that goes into these purchase decisions. But the argument could be made of if you're just providing a NAT gateway and, or NAT traversal and basic switch and, you know, and and, access points, and you've got, you know, couple 100 users at a location, why not just go Ubiquiti?
Speaker 1:It's really inexpensive. Doesn't give you failover firewalls. Maybe you don't care. Maybe you don't care. I don't know.
Speaker 1:We have to talk about it and figure out how much you care if you don't care. Ubiquiti firewalls, you cannot have Meraki firewalls, everybody else, you can have You know? Like, that's important for some people. Or you could just bypass the entire firewall game completely and not invest in this crazy infrastructure anymore because it's not probably serving any purpose for you, or it's not giving you what you want. And there are phenomenal phenomenal phenomenal services on the market.
Speaker 1:It'll give you really value real value. And so the name of the game when you start talking about cybersecurity becomes a couple of things. Right? So the first one is, pattern. Right?
Speaker 1:How much data are you seeing? What kind of patterns can you glean? Right? So you're doing this you know, good service providers doing this in a couple of ways. They're gonna take threat intelligence feeds.
Speaker 1:They're gonna take pattern matching. This is what firewall's doing when you enable, you know, UTM and DPI. It has some sort of, like, signature signature databases trying to compare stuff to and say, like, this looks weird and send you an alert. And when you talk about a really good, you know, use the term SaaS, a really good SaaS based service or, you know, somebody that's offering a cloud based firewall, next generation firewall in a cloud environment or where you are connecting to that cloud environment usually with some sort of, like, IPSec tunneling, Jira tunneling, whatever it is from your edge or, you know, for your remote access users, your remote users, where they've got a, client installed on their devices, which is effectively, again, a VPN connecting to, to them. You know, now you're aggregating, and that service provider is aggregating just a ton of data across their entire sphere.
Speaker 1:So on the low end, right, they're getting threat intelligence feeds, and they're getting a ton of data aggregation. And then the really sophisticated ones can start doing pattern matching based on your specific traffic. I have clients who do desalination plants. Right? So if they're working on a project in Nigeria, it's not weird for their network to be talking to Nigeria and back.
Speaker 1:Right? Like, that is a normal activity for them. Now it might be strange for your network to be talking to Nigeria. Do you have the capacity of detecting that and flagging that? Right?
Speaker 1:This is traffic that maybe you wanna be aware of. Traditional on premise firewalls are not gonna give you that data. You could have a light bulb that's been compromised or a fish tank that's been compromised on your network that's talking through your firewall to a command and control server in some country, in some place that your network has no business ever ever talking to, and you're not gonna see it. You're not gonna learn on it. This is one of the big things you're gonna see, and you're gonna get out of going to one of these next generation firewall services because they see that at scale and they have the capacity and the sophistication to actually alert on those things for you.
Speaker 1:What are the other things that you're going to get? Secure Web Gateway you can take and you can run for to guard, you can run umbrella on top of your MX and you can or you can run quad 9. By the way, really easy hack. Turn on quad 9, you know, if you don't have budget for this stuff. That'll it'll it'll get you a huge benefit, you know, for your users.
Speaker 1:But a secure web gateway, you know, this goes back and and, you know, like, in the good old days, like, WebSents. WebSents was just like a proxy server that was saying, hey. This URL is allowed or it's not allowed. Right? You could create column classifications, and and their service was constantly going out and trying to classify all the all the potential URLs and websites on the planet.
Speaker 1:You know, in 20 years ago, that was more feasible than it is today. And today, modern secure web gateways are gonna do the SWG function, and maybe they're also gonna do an RBI function, and the ability to actually say and look at the payload that's coming back from the website and saying this is malicious JavaScript. It's trying to do something it shouldn't be doing and don't allow it. Or this is a website hosted in location or that's a new domain registration or is trying to mimic something else, and it it looks fishy and don't allow it. So these are all things the s w the SWG can do for you in real time that'll help, you know, prevent bad things from happening to you or to your users, which would then you know?
Speaker 1:You know, other things that you get from modern, you know, modern services are, you know, remote access, you know, and and ZTNA functions. And, you know, look, 0 Trust and ZTNA and remote access is a VPN. You're not shopping for, like, a VPN versus not a VPN. What ZTNA is doing for you and really what what you'll see is expressed, more as like an SDP or software defined perimeter. You know?
Speaker 1:So a a really good sophisticated z tna and SDP is the ability to create, policies and entitlements for access. And the core of this becomes authentication authorization linked with your, identity provider. Right? So, provisioning, deprovisioning, and, authentication, you know, in an SSL way. Right?
Speaker 1:So if you're using Azure AD, you don't have to configure anything else. You can say, okay, this user in my Azure is, you know, if you're using OAuth, Google Workspace, SAML, Okta, whatever it actually is, you can plug into these identity providers. And that way, when you deactivate a user account, it's automatically instantaneously deprovisioned across your remote access infrastructure. Okay? So that's, like, really basic stuff.
Speaker 1:You want this stuff. Other things that when you're running an SDP in a ZTNA environment that that gives you the ability to do is you can start now expressing really rich, rules. You can express rich rules that say things like, what's a common example? In order for this user to gain access to resource, they have to be on a company issued device. And we're gonna detect that it's a company issued device because it's running a company certificate.
Speaker 1:It has a certificate installed on it, and it has an MDM running on it. The MDM is current. It has an EDR running on it. The EDR is current. It's located in this physical geography, so it's in the United States, the United Kingdom.
Speaker 1:It's, you know, it's not in a location that we wouldn't expect. Right. We don't have people in Nairobi. We don't have infrastructure in Turkey. Right.
Speaker 1:They can't authenticate. Nope. The CFO is on vacation and they went to, you know, Romania, that device can't connect even if everything else is is provided. So you can you can create these, you know, time of day, you know, resources, what's available, patch levels, all these different things. You I mean, you have just a wealth of policy decisions that you can create, that you build out a policy with, and then you can provide an entitlement.
Speaker 1:And so that policy has to be matched for the entitlement to actually work, and then you've then all of a sudden you get access, you know, to whatever that resource is. Is that a resource you're e your ERP is that resource, your internal applications, your chat applications, is it a SaaS application, you know, whatever it is. Other things you get out of these really, you know, really good, you know, next generation cloud environments. You know, when we look at CASB, you know, what is CASB? You know, at a at a base level, it could be things long as simplistic as, hey, you know, hey.
Speaker 1:Look. We turns out we have really critical data in Salesforce. Right? So you can't connect to Salesforce if you're not authenticated and coming through our infrastructure. Right?
Speaker 1:Well, we're we don't have offices, so we're not gonna restrict this to, you know, an office IP address. And also, by the way, just a physical location itself is not strong authentication. Right? Because if somebody's at the office plugged in your guest network, now they have access to your Salesforce. Probably not what you want.
Speaker 1:Right? But how do you deal with this with your remote users? Well, your remote users still need to have this thing that can connect and aggregate traffic and say, okay. Salesforce, you can allow traffic from these locations. Right?
Speaker 1:So really really kinda core base level, like, CASB function. Things that happen that get extended from that point. We talk about, you know, like shadow IT. Like, what applications are you actually running? Do you even know?
Speaker 1:Do you even know? Do you have any idea what applications are running across your user devices? Chances are you probably don't. A lot of organizations give users admin privileges to install software on their on their devices. I mean, those are really common if you got you're talking about Mac fleets.
Speaker 1:Right? The the employee has access admin rights to that Mac and can install it. You know, there's there's gonna be, UEM or MDM running on top of that Mac to push your own corporate applications and provide that update. But, you know, hey. Look.
Speaker 1:They can still install their own stuff. You know, CASB will give you that functionality of being able to say, these are the applications that are running on these devices. You could also you know, there's there's scenarios where you could use it to restrict applications. Hey. I don't want this running on my network.
Speaker 1:Block it. I mean, I'm I'm having flashbacks to trying to block Yahoo and some messenger, you know, host so long ago. The application was unbelievably insidious. DLP is an interesting conversation to get into. And there's lots of different things that DLP does.
Speaker 1:Right? You know, DLP could be, you know, hey. You know, look for Social Security numbers and and data that's being downloaded from our servers. Right? Don't let that be downloaded.
Speaker 1:You know, DLP could be don't allow data to be downloaded. Like, you can't download more docs from these things if you don't meet these scenarios. Anyways, all those examples I just gave, your firewall, if you buy a firewall, you do an on premise firewall, can't provide those things for you. You know? So, you know, if you're thinking about buying a physical firewall, if, you know, if you're you get out and the sooner you get out of this mindset, the better.
Speaker 1:I mean, I I just started my career supporting on premise firewalls. I'm telling you. Like, I would never physically own. I would never personally or any company that I'm a in any sort of controlling, like, like, mechanism for ever, ever, ever buy one of these things ever again. It is worth paying the money, and in some cases, very low comparison money, you know, to get into something that's modern.
Speaker 1:So if you're contemplating this at all, I'd love to talk to you and and and help you down this journey. But I will tell you, you know, if you've got somebody that's trying to to shove, you know, a a really expensive firewall purchase, plus support, plus their configuration time, plus plus plus all these different things on top of it, Take a step back and really think about what you're what you're looking for in this firewall and what you think you're gonna get out of it. And if you're an, you know, IT admin, and you think this firewall is gonna be great for you because it involves UTM and DPI, you're probably not getting what you think you're getting. And there's something else out there in the market that's gonna actually give you something that's a lot better. I'm Max Clark, and that was 20 minutes max.
