Firewalls failing to protect banks, says security expert
British banks are wasting thousands of pounds on firewalls that are not doing their job, according to network security pioneer Nir Zuk.
Zuk, who is widely credited with co-developing the stateful firewall and is chief technology officer of firewall vendor Palo Alto Networks, said in an interview in London last week that banks in the UK and elsewhere use firewalls to protect their networks, but they understand that their network security infrastructure is failing.
"We had a meeting here with the banks and I asked them: why do you have a firewall? What is it doing for you? No-one could come up with a good answer," Zuk told ZDNet UK. "I asked what would happen if you removed it from the network, and they concluded eventually that their security posture wouldn't change even if you took the firewall away."
Banks use the same firewall technologies as other enterprises. Firewall technology has grown up from the simple port controller, which identifies and either blocks or allows traffic based on its IP port number; a port number will tell you whether data traffic is generated from web browsing or email, for example.
Today's technologies include stateful firewalls, which track network connections, such as TCP or UDP. In other words, a stateful firewall analyses each packet in context, not in isolation.
Intrusion detection and prevention technologies, which allow systems to examine each packet for malware, are also used. Proxy servers also sit in front of web servers, and they both reduce the load and act as filters, blocking malware attacks.
However, each of these technologies requires a separate box, and each of these requires installation, energy and management, and so increase operational expenditure.
"Firewalls don't do much, because they aren't asked to do much more than manage ports. Over the last seven years, no-one has added anything new, so customers are paying thousands, hundreds of thousands, or even millions [of pounds] for nothing," Zuk said.
Tony Osborn of security vendor Symantec disagreed, saying firewalls still provide a valuable first line of defence against attack. However, the boundary they cover "has been redefined out to the employees and customers of an organisation", he said. As a result, companies need to embed security into the fabric of their organisational policies, he said.
The firewall issue is part of a wider problem, according to Zuk. "The security industry is based on this axiom that security vendors have to solve a very specific problem, and that each specific problem has to be solved by best-of-breed security technology," he said. Instead, said Zuk, enterprises should be looking for more holistic security technology.
Security analyst and researcher Jan Guldentops agreed with Zuk's argument that firewalls do not protect banks adequately, but said better firewall technology could solve the problem.
"He's right and he's not right," Guldentops said. "You can't identify traffic by port any more, so you need application intelligence to look into the connection and see what's happening.
"Then there's the issue of perimeter security. There's no network perimeter any more, and the bad guys aren't outside any more — they're intermingled with the good guys. And so you get data leakage, which consists of traffic that looks legitimate."
Guldentops said the process needed to go a level further. "We started out filtering ports, then came the stateful inspection firewall, then we added intrusion prevention systems, and now we need application intelligence. It's the next level and means you need a more intelligent firewall," he said.