Why Firewalls Aren't as Essential as They Were 25 Years Ago
Hi. I'm Max Clark. I'm a recovery network engineer, and I've been building networks for more than 25 years. And I would never buy a firewall again. And I would tell you, you probably should never buy a firewall either.
Speaker 1:Okay. It's a controversial statement, but let's get into it. Right? But, Max, I need to spend $80,000 on a pair of fill in the blank really big firewalls from Palo Alto, Cisco, Meraki, Fortinet, SonicWall, Cisco, Meraki, Fortinet, SonicWall, whatever. Right?
Speaker 1:No. You don't. No. You don't. No.
Speaker 1:You don't. No. You don't. No. You don't.
Speaker 1:No. You don't. No. You don't. 1st off, again, I've been doing this for a long time.
Speaker 1:25 years ago, we needed a firewall to do 3 things for us. Right? We needed a firewall to do network address translation to do NAT. By the way, it's not really NAT. It's really Pat.
Speaker 1:But, you know, Google NAT versus Pat. And maybe I'll record another video. But we need the firewall to do NAT because we had private IP space running inside the office and we had a very small number of public IPs. And you have to translate your private IP space to your public IP space in order to talk to the Internet. Okay, so the firewall does not for you.
Speaker 1:That was the first thing. Second thing the firewall did for us is we had services hosted inside our network usually we had an exchange server we had a network novell group wise server we had Lotus notes with domino we had a FTP site we had a web server we had something you know we had a remote desktop you know virtual desktop whatever was right an RDP server that was running inside of our network and that we needed to expose the Internet So how do you do that? Same thing in reverse. Right. You create a NAT rule and you translate, you map, you do a static mapping of a public IP address and port combination to an inside resource.
Speaker 1:And the third thing that we use these firewalls for was to create an enforced policy. Right. So if you're running an exchange internally right you were allowing SMTP for 25 in if you had firewall you know as port 2021 if you're running a web server as port 80 and 443 right so you would say allow this traffic from these sources to come into our network. Okay. There's a 4th thing.
Speaker 1:Right? A lot of times you're building a VPN and connecting multiple offices together in some kind of private networking or remote users. Right? So we had this 4th rule. Right?
Speaker 1:So we had NAT internal outside NAT external internal NAT policy and VPN. Let's just call that like our 1, 2, 3, 4 of what these firewalls do. Now the dirty secret with most of these things is on the inside to outside policies. If you were in a regulated industry, maybe you had to be specific about the policy. Maybe you had to be really, really restrictive.
Speaker 1:But the majority of organizations and installations did not do that. When I say the majority, like 99% plus, their rule is allow anything from the inside to go anywhere on the outside. That was your policy. You know? So how sophisticated of a firewall do you have to do to have that?
Speaker 1:I mean, you don't you don't have to have a sophisticated firewall to do that. By the way, I'm gonna go on a tangent here for a second and talk about the craziest things I've seen with firewalls, data centers, data center applications. You were in a data center and then it's, oh, we need to have a firewall to protect our Web servers. You know, like maybe in the dark ages if you're running like Microsoft Windows you need it or you know MT 4 0 you needed to do it because you know your server selection couldn't deal with it itself but you know if you're running Linux or any of the VST variants you know you have a firewall directly on the box you can create policy on that server it self right like allow port 80 and 443 from the Internet don't allow anything else to connect to me and you also guarantee you have a router or some sort of layer 3 device usually it's a switch with a layer 3 functionality on it or routing functionality onto it and you can create ACLs on that switch why well you know here's the deal if you've got a moderately sized data center infrastructure that you need to have protected you're already buying the switch you know to connect to your servers to it so it's already some cost cost you $0 to enable ACLs in that switch If you've got a moderately sized data center and you wanna go out and you wanna buy a big firewall again from let's call it the 3 be a big 3.
Speaker 1:Right? Cisco, Fortinet, or how I did those in alphabetical order, by the way. You know, surprise. You're gonna spend another 100 1,000, $200,000 plus annualized support in order to get a pair of firewalls. So now you've got these really big obnoxiously expensive boxes that are doing very basic things for you.
Speaker 1:And by the way, you have to have them in pairs because you need redundancy, and then you have to do session state maintenance you know replication between the 2 firewalls and that creates load on the firewall and then you need to do you know and as your traffic increases your requirement to have a bigger and bigger firewall increases you have to spend even more money on the firewall and then you're gonna get to a point where you can't buy a big enough firewall or it's unfeasible for you to buy the firewall so then you have to do firewall load balancing so now you have to put load balancers on the outside of your firewalls and then load balancer stack of firewalls load balancer again and do session state maintenance and session tracking between your firewalls on your load balancers that way you know each session only flows one way up and down. It's just crazy. You don't need to do it. Anyways, tangent aside. By the way, if you wanna talk about this more, let me know.
Speaker 1:I'm really passionate about this topic apparently because I've caught off the rails already. Okay. So now let's talk about your office environment. Right? Okay.
Speaker 1:So, yes, offices still exist. Right? People come into locations and do work. I had a client years ago, VP of, IT for a company. He had the most elegant way of saying this.
Speaker 1:His phrasing was, you know, looking at his offices as fancy Starbucks is in the sense of he needed to provide fast and stable network connectivity for his office to connect to the Internet for people to come into the office and work and be happy at the office and the observation was really around this place of nothing was hosted in the office anymore if you're you're a relatively modern operation, right, you're a 100% SaaS based for everything. Right? Your productivity suite, you know, 365 or workspace cloud based file sharing cloud based CRM cloud based ERP or GL is cloud based HR systems cloud based your applications that you're exposing to you know whatever your application you're serving is probably cloud based or in a data center or in you know in some sort of IS platform right like modern enterprises don't run things on premise for a reason so now as soon as you take this on premise thing away you've now eliminated let's go back to our list of 4 things right that your firewall is doing for you you still need the inbound outbound that you now don't need the outbound to inbound NAT and your policies change a lot and also your VPN do you need to have a VPN connecting your offices if you're not running anything in your office see how the firewall requirement basically very quickly goes down to inbound to outbound NAT connectivity and then policy for that and again most people are running any policies for the inbound outbound that.
Speaker 1:So you're down to 1 function out of 4. We really want this firewall out of why you're running a firewall. You can go to a basic SD WAN box and get NAT and basic policy enforcement. And it's a lot cheaper than a firewall. And it does other cool things for you, which is like circuit selection based on, you know, again, specific based on type of SD WAN that you buy.
Speaker 1:Gartner creates these things, these definitions of SSE and SSE. Okay. What's the a that's the difference between SSE and SSE? ASE access layer, which is your SD WAN. You probably want to go to SASE versus SSE and figure out your own SD WAN on top of it.
Speaker 1:We can debate that for a different video. The point there is, you know, modern times require modern just take a step into the future. Right. And thinking and technique and approach. If your users can be in your office, can be remote, can be in another office can be in a Starbucks can be at their house can be wherever they're going to be they can be in their car they can be at the beach they can be in a hotel they can be a Starbucks right they can be wherever they're going to be one of which can be your office you're gonna want to have the same infrastructure security controls policies exist in all the different places right the perimeter isn't centralized right you're not running a castle with a moat with a drawbridge anymore that you can say okay you know everything comes in and out here other example that was horrible for firewalls and really also some service providers do this and you should ask this question if you're talking to them because you shouldn't do business with these service providers old star g telcos will go out and buy these big chassis firewalls and co locate them in their infrastructure and in a geographic location and if you were an LA based company, they would pin you to a firewall in Los Angeles because that's where you were based.
Speaker 1:But then if you had users in New York, those users in New York have to, like, connect to Los Angeles and then go back to stuff in New York. I mean, that sounds bad. It's even more extreme. Your CFO goes on vacation to, you know, the Greek islands and now is trying to do work and it's Greece to Los Angeles back out. Right?
Speaker 1:Like, all true stories I've seen these things. Firewall manufacturers will give you all these course sorts of crazy cockamamie things that you should really care about. Like, you should care about DPI and you should care about UTM. And by the way, if you care about you care about DPI and UTM and you enable on your firewall, you're going to crush that firewall. If firewall, it's gonna be appearing.
Speaker 1:I'm just running along. Talk, talk, talk, talk, talk, talk, talk. You turn it on and it just dies. Right? And then you find out you have to invest in more and more resources and buy bigger and bigger firewalls.
Speaker 1:And then you just turn it off. Right? Like every time I've seen somebody enable DPI, I've just seen it turn it off anyways. So we start talking about like modern applications and modern infrastructure, modern policy enforcement. So what do you want out of modern infrastructure?
Speaker 1:Well, you know, if you have SaaS applications, you want to protect them. How do you protect them? You want data loss prevention, DLP, and you want CASB. You want to be able to restrict traffic and connectivity to your cloud environment. By the way, DLP and CASB are going to be available to you in any sort of modern SaaS solution.
Speaker 1:Right? Like, okay, so DLP CASB, you don't get deal. You didn't know. So you can kind of fake CASB if you've got perimeter based firewalls, but it's not real CASB. There's no firewall in the market that does DLP for you.
Speaker 1:You're gonna wanna secure web gateway. Maybe you're gonna wanna secure web gateway with remote browser inspection. Right? So you've got SDBG with RBI. Firewalls don't give you this option.
Speaker 1:And why do you wanna run SDBG and RBI? Because you wanna protect your users from all the nefarious junk that's on the Internet trying to take advantage and just do bad things to you at all the times. Right? And SWG and an RBI are ways of just preventing things from happening before you even have to worry about whether or not your EDR catches it or if can unwind it. Right?
Speaker 1:So SWG and RBI. What else do you want? You wanna move into 0 trust. So you want to do ZTNA. Right?
Speaker 1:You wanna move from, like, antiquated VPN that just complete garbage and doesn't give you any real entitlement and policy, you know, controls to a real session of software defined perimeter or ZTNA solution and now you want to take all of this infrastructure right imagine this like we're gonna draw like a cloud around my head here you know actually like this Madonna but you know and you want to have the same structure regardless of where your users are if you have an office in LA an office in New York a little office in London an office in Johannesburg you have users on vacation in Tokyo you want to prevent people from connecting when they're in New Mexico like whatever you want to do you want to be able to create these policies, and you wanna have them unified. You wanna have controls. And by the way, when you go to something modern, again, not a firewall. We haven't even talked about maintenance and updates. Oh, boy.
Speaker 1:Let's talk about that one for a second. Your firewall vendor announces a severe critical exploit. You know? Just just do a Google search on this one. If you want, I mean, this happens all the time.
Speaker 1:Hopefully, it can be replaced. It can be updated with a firmware update. We've seen some recently where it was you've got to replace the box. Like, you've got a firewall. You've got to replace it with a new box because it's just not firmware updatable now what's your change management process okay you've got a firmware update you have to test the firmware give to wait a certain amount of time before you can apply the firmware just to make sure that the firmware is okay you have to schedule a maintenance window does a maintenance window have to be approved can it only happen on the 3rd Tuesday of the month after the full moon like what's your actual criteria for applying the firmware how long does it take to apply who's doing the work how many firewalls do you have you have a pair of firewalls okay let's say it takes you an hour each firewall you've got to have an engineer that's gonna be now in your maintenance window, which is probably after 10 PM up at night.
Speaker 1:Means they can't work during the day because you're gonna have them working overnight. Right? They're not gonna be functional for you during the day. They have to do an update. Okay.
Speaker 1:It takes a couple hours to do the update. Let's say it goes well. Everything's great let's say it doesn't go well it has to figure out how to get rolled back well now let's say you have remote offices let's do a basic one you've got 2 firewalls per location you've got 10 locations you've got 20 firewalls how long does it take you to roll out 20 firewalls that's 10 locations with 2 firewalls maybe you're new retail you've got 500 locations with 1 firewall each how long does that take you to roll out 2 1,000 locations it's not even like a linear issue here this becomes like a logarithmic problem like the more that you have and by the way you're trying to get this update applied and meanwhile the exploits in the wild which means people are looking for vulnerable firewalls which means for each day you don't apply this update you're just being discovered and you're being abused versus you know a sassy platform which might be able to apply that update instantaneously for you we saw this with log4j you know the log4j exploit you know WAF cloud based WAFs and Sassy infrastructure were able to create rules and mitigate those attacks same day and the people that were on prem were waiting and they weren't a lot of pain anyways don't buy hardware firewalls invest in modern infrastructure protect your users make your life easier get yourself modern stuff and by the way, the tooling is way cooler.
Speaker 1:Right? If you're, like, thinking about this from the standpoint of, like, you wanna have a fun toy to play with, like, the tooling for Sassy is way cooler, and you can do way more interesting things with it. And you can manage it from anywhere. I mean, like, literally, you could take your laptop, go on vacation on your yacht, and you can manage this infrastructure. And it just your users will like you so much better.
Speaker 1:They will like you anyways. I'm Max Clark. That's a little bit of a rant. It kinda went off the rails a few times, but hopefully it makes sense. If you have any questions, comments, concerns, you wanna talk about it, comment below, send me an email, give me a call.
Speaker 1:Happy to discuss this with you at length. But that's why I would never buy a firewall again. Have a great day.
