Everybody knows they need a firewall. When we review the audit requirements for businesses, guaranteed there is a box to check for “installed firewall”. It is easy to understand – it blocks traffic with a set of rules that are programmed by someone who knows what traffic to keep out of your network. Straight forward – right? A firewall is a great door — a gatekeeper against known bad stuff. But what about the rest of the house? And even though the door is locked and you are only letting in what you think is good, what happens when you don’t get it right? Here is how that can happen….

Think of the Three Little Pigs and their desire to keep the big bad wolf out. A strong door on a straw house didn’t work out so well. A strong door on a wood house didn’t fare well either.

As you know, a Firewall is designed to keep bad guys out – a sturdy door, if you will. But Firewalls need to be programmed to know what to look for, so what happens when the wolf arrives dressed in sheep’s clothing?

Three instances of Firewall Protection limitations

1. Rules vs Anomaly detection

Firewalls are programmed to look for and identify what is good or bad coming through network traffic. It needs to know what it’s looking for, hence the wolf in sheep’s clothing problem. Presenting itself as a predator hiding in plain sight. The firewall won’t pick up the wolf as an anomaly, as it’s not programmed to do so.

2. System overload – Firewall fail

Continuing with the wolf analogy, he’s not trying to blow it down by himself, he’s shown up with his pack, thousands or millions of wolves, and with brute force “they are knocking the house down”. This is a type of Distributed Denial of Service (DDoS). I explain this further here.

3. Firewalls can’t block “crafted packets”

Among the many languages spoken between computers and servers, the chief among them is the standard TCP Normal connection establishment. Known as the three-way handshake.

Client: Syn

Server: Syn-Ack

Client: ….. < cyber silence >

Server: ….. < waiting > < waiting > < waiting >

The Client is supposed to send back a final “Ack”, completing the handshake and allowing the normal transactions to take place. By not lobbing back that final part of the handshake, it occupies the server, basically using all its resources.

Essentially, the initiator, i.e. the bad guy, just leaves the server hanging. Waiting and waiting for the return fist bump, but nothing. Since just one computer can initiate 65,000 of these interactions at a time, you don’t need a giant botnet army to cause a major issue.

A firewall isn’t designed to stop this type of interruption. It doesn’t display any of the usual indicators of compromise that would be flagged for a firewall. It’s not coming in too fast, it’s using a proper IP address and it looks normal, except for not finishing the three-way handshake. This type of attack could be crafted to interrupt any internet service. This is an advance form of DDoS attack.

As I mentioned previously security is an arms race. Those with malicious intent don’t go away when you install a firewall – they keep looking for another way in. We need to move beyond 1990s technology to protect our systems. Perhaps it’s not really the death of the firewall as we still need that front door to be locked. But we need to lock the windows and install a “camera” so we can see who is trying to get in. We need a system to recognize the sheep dressed as those damn wolves. This requires a new level of intelligence, pre-set rules are not enough.

As the wolves linger in the wilderness, are you sleeping well at night?