Is the firewall dead?

[ruirib]

I think these articles are mainly read by a mostly technically educated audience. The impact is, therefore, limited, IMO.

[CLiNT]

The first article was almost a slap in the face of reason, kind of like a blatant attempt to shock.

Fortunately for most users, the days of really having to concern yourself with a firewall of any kind is fast coming to an end.
With Microsoft providing decent entry level firewalling built into their latest operating systems, few will need to toil with configuring a firewall.
Even Windows XP's firewall is better than nothing.
So in one sense firewalls are becoming irrelevant; because we already have a decent one built in, not to mention the router you bought.

Firewalls imo became a secondary, even a distant tertiary concern with the advent of windows 7. You just don't have to worry much about them anymore.

[Banyarola]

Yes Clint, I agree with what you say.

I always used ZA until it became bloated with useless stuff.

Windows firewall has matured and now I use it exclusively..

Most people falsely believe that with a firewall and virus program they are bullet proof and can do or open anything they like because they are 'protected'
That's where the trouble starts.

[Not Brightest Bulb]

Well, I'm not as kind as you guys...
Articles like that cause a lot of problems for people...

Unlike you ruib, I don't think it's controversial...I think it's irresponsible..

If he wanted to be controversial he would have stated that up front and offered it as an opinion piece for public debate..

I agree, because for sure some people will read it and just stop firewalling.

[cavehomme]

This guy is irrepsonsible to say the least. A firewall is ESSENTIAL as part of a layered approach to security.

Each layer is not going to be perfect, as he does point out, but collectively all the layers will do their job and keep the vast majority, if not all, attacks out.

It's smart a***s and self-publicists like this that create too many problems for others in sharing their dumb opinions. He's no security advisor.

[Banyarola]

Let's find out where he lives and beat him up!

[eikelein]

I actually took the time to READ the follow up article by RG.
What bugs me are among others a few things:

• No distinction between what a firewall has to do and (for example) buffer overflow exploits that happen AFTER the firewall has been breached.
• General statements (like "No need for firewalls any more") derived from data that seem to cover mostly corporate networks.
• His argumentation "I see your point BUT I am right anyway...".

The man has no clue what goes on in average Joe and Jane's home computers.

For average Joe's home computer:
Since XP SP2 (August 2004) there was absolutely no requirement anymore for a 3rd party firewall on a Windows home computer. All of a sudden the Windows firewall just did it's job. It is hard to give up attachment to a "toy" one had finally learned to handle; I still sometimes find XP machines that still run ZoneAlarm.

Turning the firewall off on a home computer IMHO is like playing Russian Roulette with a revolver where all six chambers are loaded. Puuuhlease.

[RetiredGeek]

Eike,

Sorry but I didn't write either article I only posted the links to generate discussion. Seems like I was successful.

[brucewebs]

I just finished reading the following before this subject.....so who needs firewalls???

anyone with half a brain.


http://www.eweek.com/c/a/Security/Ma...OV05232012STR2

[Doc Brown]

I just finished reading the following before this subject.....so who needs firewalls???

anyone with half a brain.


http://www.eweek.com/c/a/Security/Ma...OV05232012STR2

While the breach was caused by allowing an open system on the enterprise network, the real error was lack of a documented repeatable build process and lack of good project management. The whole incident does help one appreciate the need for layered security.

[bethel95]

Everyone take a deep breath, and put down the pitchforks and torches.

I know that it wasn't clear in the InfoWorld article, but RG was speaking from an enterprise perspective (what he writes about), and when he says "firewall" he means "firewall hardware appliance." If you've never encountered one of those critters, it's a separate box that sits between the ISP and the enterprise LAN to provide single-point firewall services. These were very popular 10-15 years ago when they first came on the scene.

What RG is saying is that, in today's environment, having the sysadmin enter new rules in the firewall appliance (which is done via a command console on a server) in response to a new intrusion threat isn't nearly as easy or effective as simply applying the inevitable software patch that will accompany the announcement of the new vulnerability. That patching, combined with the local firewalls on workstations (which is not what RG was recommending against) practically obviate the need for a firewall appliance today.

See? No controversy (except possibly among enterprise sysadmins and CIOs who have gotten used to the firewall appliances).

[Mike Feury]

Eike, Sorry but I didn't write either article

In the interests of forum harmony, I'll bet Eike's RG meant Roger Grimes

I expect bethel95 is correct. I got the strong impression from the article that it was for an enterprise audience and talking about some old tech. For sure not relevant to today's computing consumer.

[RetiredGeek]

Mike,

Thanks! To quote Maxwell Smart ..."Missed that one completely!"

[Doc Brown]

in response to a new intrusion threat isn't nearly as easy or effective as simply applying the inevitable software patch that will accompany the announcement of the new vulnerability. That patching, combined with the local firewalls on workstations (which is not what RG was recommending against) practically obviate the need for a firewall appliance today.

Firewalls generally don't need to have rules changed in response to a threat (unless they are poorly configured to begin with).

And that was sort of the author's main point. Far too many are not configured or maintained properly and therefore of little value. I agree with that 100%. You assert that it is a chore to maintain them, and yet we have many security devices and software packages in our environments today that need to be patched and maintained. The key is good IT practice; meaning scheduled patching, documentation, and change control. Yes, its true, most vulnerabilities have not been exploited via open firewall ports. Why? Because a properly configured firewall actually DOES work. If anyone tells you that the "bad guys" are no longer scanning for open ports, they are delusional. As I said above, The notion that you can get rid of the locks on your front door is both dangerous and false logic.

[eikelein]

Eike,

Sorry but I didn't write either article I only posted the links to generate discussion. Seems like I was successful.

@Retired Geek

I am sorry; I did not mean you, I meant Roger Grimes, the author of the article you had linked to.

Again, my apology; and my congrats that you indeed succeeded in stirring up a conversation.

@All others:

I am sorry guys but are some of us not too lenient? A professional technical author ought to know that he has to express whatever he says PRECISELY!

As a professional author he ought to know that we all interpret what we read, see, hear and experience in the light of our individual experiences and circumstances.

For my part I was NOT aware that he potentially was talking about outdated hardware in corporate environments. So was this badly and eventually hastily thrown together?

Happy Memorial Day to all.