Home  |   Contact Us  |   Locations  

The Myth of Firewalls

What you thought you knew, why it isn’t true, . . . . and what you can do about it.?

Download the whitepaper.

Introduction

Myths can be a powerful thing. In fact, myth can be more powerful than truth. I remember this one growing up, “Those who go swimming less than one hour after eating could get cramps and drown.” There I sat, either watching the other kids, or waiting with my friends to get in the pool. When you’re a little kid, one hour to wait before swimming was an intolerable eternity. But waited I did, even when Mom wasn’t there to make sure, though I might have cheated by a few minutes. I even made my own children wait, just as I had. My generation grew up with it and acted as if it were real, as if it were true. It is not. Since learning this, I must admit I feel a little angry, a little duped, and sad that I sat around waiting and watching the clock, for that exile to end. Sad that a myth, rather than truth, was somehow so real to me, that it actually had control of my actions.

Just for fun, here are a few more myths that you might like to know about and if you are like me, you will find yourself to have been the unwitting victim of some of these as well.
  • Dropped food remains germ-free if picked up within five seconds.
  • Chewing gum takes seven years to pass through the human digestive system.
  • Hair grows back darker or thicker after it has been shaved.
  • You reduce IRS’ audits by not using the preprinted labels supplied with your tax forms.
  • We only use ten percent of our brains.
  • Federal law allows only the Texas flag to be flown at the same height as the U.S. flag.

For the last few years, I have been on a mission to bring light to a myth that has grown up right under the noses of security professionals that know better, yet are unable to bring truth and understanding to the topic. This lack of clarity is not with malicious intent, but rather I think it emanates from a lack of knowledge about the technologies we rely upon, but have little understanding of how they actually function.

So what is “The Myth of Firewalls”? Simply stated, it is this;

“The major function of a firewall is to keep out the bad guys.”

Hard to fathom, isn’t it? Let me add this disclaimer in the name of being accurate. I am referring to traditional firewalls protecting traditional corporate networks. Yep, this one is false, born out of an evolutionary history that started with trying to deal with the problems associated with every machine on the LAN (local area network) having its’ own public IP address, so that we could get to the internet. Next were routers and NAT (network address translation), and finally firewalls. For many years now, executives and their IT managers have spec-ed, priced, and purchased firewalls with the express intent of protecting their internet connected networks from hackers. Firewall vendors, only too happy to sell their product, never really confronted the issues that would plague their customers, once the firewalls were installed and configured.

Is it a lie? I guess it is, and sadly I used to be one of the biggest liars around. I sold firewalls to prospects by the truckload based on this premise; only later to learn it’s a myth. Looking back I wonder how I could have been so ignorant on this point. I think it is because, I simply “parroted” what others said, without thinking it through on my own. I did this because it sounded correct when they said it and everyone always agreed with me when I said it. A self-reinforcing delusion, I suppose. In fact this myth is so pervasive that when I state the myth, for a group, and ask for a show of hands of those that believe it true, it is always near unanimous in the affirmative. Wow, rooms full of technically competent IT managers, all going about their jobs, acting as though this was true.

How is it that a firewall does NOT protect the network from bad guys. Simple really, because firewalls have no functionality related to determining the difference between a good guy and a bad guy. Firewalls never did. A firewall is really a router. Its’ major function is not to keep bad guys out of the network rather it is to enforce and control how the network may be accessed, not by whom. Firewalls treat everyone equally. There is no distinction between good and bad users. Firewalls are an important addition to a secure network and offer valuable utility. They are just misunderstood.

Firewalls would be an excellent defense against network intrusions if all the ports were closed. It is unlikely, you would be hacked through a closed port of a quality firewall, although not impossible, as most major firewall manufacturers have reported vulnerabilities in their firewall applications. The reality is that traditional corporate networks have open ports. They have no choice in the matter, as this is a requirement of operating their business.

By definition, opening a port on a firewall anonymously is the same as "turning off" the firewall on that port. Companies routinely turn off several ports on their firewalls for a number of reasons. Since intrusions generally occur through the open ports on a firewall, in a sense, most companies no longer have a firewall instead they have a router. We would not consider letting a passenger onto a commercial flight without a complete inspection, including the contents of their bags. I would suggest that we NOT let a user into our network without such an inspection as well, including the contents (payload) of their packets.

As IT professionals, we must “step up” and confront this issue. It has been an issue that bothers us in our own quiet moments, but solutions are complex, very expensive, disruptive to network performance, and time consuming in an environment in which we have little enough time as it is. So we tend to ignore it and just hope it will go away, or simply, “Not bite me”. I call this way of thinking, a “Denial of Existence Attack”. We must develop a new mindset, and it requires a fresh approach to problem solving. Currently we are locked into a “game of escalation”. Bad guys do something and good guys develop a counter measure. Bad guys invent another new schema, and good guys must react with another counter measure, and onward it continues. It is a game that the network admin will always lose. The best thing to do when you realize your playing such a game is to withdraw. Don’t even enter the game. Avoid the contest, or better yet, change the game to one you can win.

In 2002, EcoNet.com, Inc. set up the Sentinel IPS Development Team with an express mission of “changing the intrusion game”. We started from scratch and looked at Intrusion Prevention in new ways. Since we were not a firewall or router maker we were free from the constraints in our thinking that are imposed by one’s heritage. The team operated independently and had no preconceptions as to where a Sentinel IPS would be located or how it should work. Our main design goals were at the most basic levels:

  1. It had to be very simple to configure
  2. It had to be easy to install
  3. It had to be really easy to manage or, if desired, require no mangement.
  4. It had to improve network performance, not hinder it.
  5. It must have no impact on firewall settings or network configuration.
  6. It had to be very secure
  7. Above all, it had to be affordable.


The Sentinel Development Team also came up with a few simple concepts that would have an impact on the ‘Cost of Ownership’, the business model, and methods of distribution. Everything was “up for grabs”.

  1. Locate the system on the outside of the firewall; not on the firewall, behind it, or on the network. This provided a layer of protection for the firewall application and allowed for EcoNet to manage the device without accessing the protected network.
  2. Automate everything; all tuning and remediation; including updates, patches, upgrades etc. This would relieve the network admin from the difficult and time consuming activities related to operating an in-line, active remediation, IPS device.
  3. Automate reporting and use a format consistent with compliance activities. This allows those charged with compliance responsibilities to use the Sentinel IPS to reduce the workload related to security compliance logging, and reporting.
  4. Provide the Sentinel IPS device as part of the service. This removes the risk of a bad purchasing decision, for the buyer, and allows a manager to implement a dramatic improvement in network security, even if the expenditure was not in the budget.
  5. Eliminate long term commitments that trap clients into unfavorable terms by selling the service on a quarterly basis. This allows a customer to cancel any time they don’t think they are getting the value they deserve.
  6. We should configure every unit for the customer, so it is perfectly tuned to the network on which it resides. The engineers that developed the Sentinel IPS, also manage the device in our monitoring center and the Sentinel user interface is linked directly to the monitoring center through the Sentinel service ticket system.


That’s the kind of thinking that makes Sentinel IPS the best, most affordable IPS anywhere. But we took these ideas one step farther, by incorporating them into a new and revolutionary Intrusion Prevention Strategy.

Network CloakingTM

(net` wôrk` klok`-ing)

n. 1. A combined technology and methodology that prevents network intrusions by making protected networks invisible to malicious external users.
v. 2. The act of utilizing the Sentinel IPS to protect a network.

Econet.com, Inc.’s Sentinel IPS? enables IT departments to solve network vulnerability problems at a highly reduced cost and ease of integration compared to competitive solutions. Sentinel IPS protects against hackers, worms, and other malicious activity through a proprietary EcoNet technology trademarked under the name “Network Cloaking?” and includes hardware, related maintenance and upkeep that is typically purchased separately in conventional systems.

Almost every organization, using the internet for business, has an architectural vulnerability to being compromised by external sources. Organizations remedy these vulnerabilities in a variety of ways, but most effective solutions include a prevention component, as well as a detection component. Most existing intrusion prevention systems (IPS) require a high level of support, and their effectiveness frequently varies depending on the amount of IT staff attention they receive. It takes a considerable amount of training and experience before a technician can be totally proficient in the tuning, administration, and care of a sophisticated intrusion prevention solution. While these solutions may be attractive and feasible for large organizations, smaller firms frequently do not have the IT budget or staff to purchase and administer these solutions.

Econet’s “plug and play” proprietary intrusion prevention system, the Sentinel IPS, conceals the network from malicious users while maintaining the utility of the network for other users. EcoNet manages, integrates, adjusts, monitors, designs, builds, and updates the Sentinel IPS units for a low up-front installation cost (currently starting at $599) and a low monthly fee (currently starting at $299 per month). This approach allows IT departments to solve the “unwanted network intrusion” problem cheaply and effectively and with limited involvement from the organization’s IT personnel.

Figure 1 –diagram

The diagram above shows the typical installation and Sentinel IPS insertion point in the network. Notice it is outside the private network and offers a layer of protection for the firewall as well.

Don’t let myth control your actions when it comes to protecting your network. The truth is that, firewalls are not enough. So take action against those that would cause harm to the network and change the game. You can win and we will show you how.

Let us send you a Sentinel unit for 14 Days - Free.
Figure 1 –diagram

We will let you evaluate Sentinel free of charge* and without obligation to buy.
It’s like getting a free 14-Day Network Security Assessment.
During the evaluation period the Sentinel will alert you to malicious activity. (will not drop activity until you decide to activate the monthly Sentinel Security Service.) You will have see what is happening at your network doorstep. Most people are surprised by how often scan and entry is attempted.
Requires no firewall modifications Requires no Network modifications Comes pre-configured before installation Sets up in minutes, installs in seconds Operates in “Pass-Through Mode” (Network Cloaking? not enabled)
Administration, alerts, and reporting data is available immediately.
Full Reporting Functionality within 24 hours.

Contact us today!
www.networkcloaking.com
EcoNet.Com, Inc.
Frisco Technology Corridor
2611 Internet Blvd. Suite 109
Frisco, Texas 75034 | Phone: 972.991.5005

www.mediarecovery.com
Media Recovery
1111 W. Mockingbird Lane,
Suite 1050
Dallas, TX 75247 Sales:
Phone: (800) 688-2414.


For more information, please call Media Recovery at 1-800-688-2414 today.