Firewalls are holding security back | Altaware, Inc. Cyber Security Blog

Firewalls are holding security back

All the focus and press on "Next Generation" firewalls is holding back corporate security.

The problem is that many people and management equate firewalls to the single and only solution needed for security. All the press, focus and IT spend is on firewalls leaving little for anything else. A lot of effort is spent selecting the perceived "best" firewall, less on configuring it and even less on augmenting them with additional layers and detection solutions.

Firewalls alone are inadequate because:
- They only see traffic that traverses between networks they control
- Most companies have far too little segmentation
- Most companies inadequately secure their VPNs
- Firewalls have limited ability to detect sensitive data going outbound (leakage/theft)
- Firewalls cannot report or inspect on processes at endpoints responsible for network traffic
- DNS sinkhole capability varies by manufacturer or isn't present or implemented
- Firewalls are generally not ideally deployed or almost always have some policy configuration concerns
- While some firewalls are beginning to address zero day malware, we still have a long way to go
- Firewalls cannot adequately apply and enforce security policies to cloud resources
- Firewalls cannot adequately deal with BYOD issues
- Firewalls generally do not have the ability to interactively respond and isolate users/devices due to threats (orchestration and/or automation)
- While firewalls have some DDoS capability it's usually not configured and even if it were, due to placement and limits a firewall cannot sustain a heavy DDoS attack
- Firewalls have limited WAF (Web Application Firewall) capabilities

Proper security security requires a full circle methodology that includes:
- Defense in depth
- Detection
- Response to threats
- Recovery

While next generation firewalls are a tremendous leap forward and add a lot of visibility and control compared to previous stateful firewalls, they do not address all or even close to all the security needs of an enterprise.