Because I'm all about the "good enough."

Friday, January 13, 2012

Why we still need firewalls and AV.

It's become trendy to talk about how ineffective some commoditized security products are, classic firewalls and AV being the poster children for this.  One of Josh Corman's favorite points is that "we never retire any security controls."  But as fond as I am of Josh, I think he's wrong in his implication that we should.

Let's take my firewall.  (Please.)  It's still blocking what it's supposed to block; it's just that the ports that I need to leave open (such as 80 and 443) are now carrying all the traffic as a result, and those protocols are being used to tunnel attacks these days.  The firewall is doing its job; it's just that the job is no longer as sufficient as it used to be, back in the '90s. 

In the same vein, we still have umbrellas, even though they're not terribly useful in a hurricane.  Nobody would tell you to throw away your umbrellas because they're "ineffective" -- nobody, that is, except the maker of a Next-Generation Umbrella.  (And while we're on the subject of umbrellas: I really hate it when firewalls are described as stopping "millions of attacks per day."  An umbrella isn't rated by how many raindrops it blocks and how wet you didn't get every day. A probe shouldn't count as an attack; it's just a raindrop to a properly configured firewall.)

Now, it's important for a consumer to understand the limits of the umbrella and not to believe that it will stop someone from getting wet in a hurricane.  It's also important for consumers to know that even if the chance of a hurricane in their area is small, there are still tornados, sideways winds and Advanced Persistent Puddles to contend with, and they should plan accordingly.  They shouldn't pay a whole lot for an umbrella that is not going to protect them in all use cases.  But it's still useful for what it does well.

The functions that classic firewalls perform are so commoditized that they're tucked into just about everything right now; I could wear them as earrings if I felt like it and someone made the right form factor.  In the future, it should be a given, and therefore not worth marketing.  But we will always need that functionality for as long as we have network traffic that doesn't automagically inspect and block itself.

Same thing goes with anti-virus.  It's necessary but not sufficient, and it ought to come in every cereal box, not as a standalone product that will completely solve any given problem.  Classic viruses are still out there, and they still need to be stopped, but advances in anti-malware, anti-phishing and other forms of automated defense still continue to pick up where classic AV leaves off. More sophisticated inspection and detection methods need to be developed, but that's a universal problem in security.

My belief is that users need education, not exhortation to throw out perfectly good controls that just aren't covering as much of the attack space as they used to.  They need to know what each security product will and won't protect, and they need to understand this in a non-technical way, just as people have learned over time that air bags plus seat belts are better than seat belts alone, without needing to know the mechanics of how they work, and without having to do threat modeling when they buy a car.

So if you don't agree with me, and you've really stopped using these products, I'd love to hear about how you're addressing those classic threats, and what controls you replaced them with.  (You don't get any points if the threats don't apply to what you're using; of course your toaster doesn't need AV.  But your smart meter just might.)