Tuesday, December 27, 2011

How many firewalls are enough?

Pretty much every company in the world places at least one firewall at the edge of its network, to protect its internal resources. There were dark times, where a simple router is all we had, and we exposed all of our computers to the internet without any protection, but now that the hardware and software have gone down in price, this brings a new discussion to the table…how many firewalls are enough?

On one hand, you can take some old computer that’s too slow for use with modern desktop operating systems, stick some Linux based firewall on it and you got yourself a firewall at a cost that’s close to zero. Many people think that a thicker armor can stop more missiles, and would take advantage of the cheap options to build a network with multiple layers of firewalls. Is more really better?....not always!

The thing about quantity is that it rarely really trumps quality. Even in the simplest example of a tank having multiple layers of armor on it this is not the case. Sure, a tank with 15 layers of steel would be harder to penetrate than one with 14 layers, but the multiple layers also make the tank heavy. The added weight makes the tank slower to move and maneuver, limits the distance it can travel and the land it can drive onto.

In the case of network security, adding more layers can make it harder for an attacker to crack it, but the complex configuration makes it more likely for something to get overlooked or misconfigured. For example, if you put 6 different firewalls in the mix, you’re probably not an expert on each and every one of them. Perhaps one of them has a built in remote-access option that you forgot to protect or disable? Perhaps one has a lesser-known vulnerability that you were not aware of and forgot to plug? Perhaps updating the various firewalls will be hard because of the limitations on internet connections?

A common term in my world is “security by obscurity”, referring to using technology to mask some component in hopes that if it’s hidden well enough, it’s less likely to be attacked. The same concept applies, however, to bugs and issues. The more complicated the environment, the harder it is for us to see any issues it may be harboring.

Unfortunately, there’s no simple answer to the age old question of how much is enough, and how much is too much. Depending on your own exposure, which includes the profile of the data you need to have coming in and out, and your public profile that makes your organization a prime target or a lesser one, the answer is individual. If you’re a small company that’s just publishing a simple website, it’s very likely that a single firewall is all you need. If you’re a multimillion dollar corporation, which has tons of public services, then it’s probably a good idea to have more.

If you were expecting a simple numerical answer, then I’m afraid I’m going to disappoint you. I’m here to remind you of the considerations pro and con for each option. Your own mileage may vary, but one thing is simple to note…if your configuration is so complicated that even you can’t explain easily where a packet is going and where it has been lost, then it’s probably too complicated to be reliable.