09 Mar 2012

The Meaning of Life Part 1 - The Firewall

[Your Firewall does nothing...yet]

This is the third time I am writing this blog post because I just couldn't seem to get the thought straight and the tone and level right. My first two attempts took a whole bunch of text to say this:

Basically Firewalls came before NAT. NAT is a magic network concept that creates a type of one-way-mirror allowing devices on the inside of the firewall to establish a two way communication session without the other side knowing exactly what device is making the connection and devices outside the firewall can't establish a connection to devices inside the firewall.

(The above paragraph is not totally correct but it is correct enough and stops me having to type a whole networking 101 essay which is besides the point of this post. If you know better exactly what NAT is about then smile smugly, if you don't accept that the above is "correct enough". Either way - read on.)

NAT is so effective that almost half (wild estimate) of hackers' tools and time and thoughts revolve around getting past NAT- the only effective way being to get the inside device to "dial-out". (Think of the protection that NAT affords us as being a door that opens only from the inside and hackers concentrate on getting someone inside the door to open it.)

So, while Firewall rules and policies are weird and wonderful little twisty adventures, NAT pretty much makes them redundant.

And Firewall engineers know this (although may not admit as such). So, then, what is the point of this article?

IPv6 is coming and with it the loss of NAT. We won't need it any more. And we won't want it.

This is my opinion and the network security and general network engineers disagree with me. They argue that NAT is so useful that we will have it around for many years even once IPv6 becomes the norm. Either we will stick with IPv4 private networks inside and IPv6 networks outside or we will have IPv6 networks inside that will remain private.

I have three arguments against this and time will tell whether I am right or wrong.

1. The number of devices will explode. We are well on the way to this already but I think it will accelerate. We have the hardware, we have the software. We just need it all to become easy. So, look around you and imagine what would not benefit from being connected (ignoring security for the moment). Your car keys could beep when you SMS them - what a lifesaver. Your desk could sense when you are behind it. Your chair could auto adjust depending on who was sitting on it. Your desk calendar could be digital. The lighting above you could notify you when the light bulbs are due to run out. They could turn on and off depending on whether someone was in the room. Your desk phone would have an IP address and not a telephone number. That is a lot of IP addresses, now times it by the number of people in a site, then by the number of sites in the company etc. It is starting to add up to a lot of IPs especially since companies are already struggling to allocate IP addresses just for the devices we have now. A company with 2000 employees and each one has 30 devices needing IP addresses would be testing the limits of IPv4.

2. "We are an X shop" is a joke. Most companies stick by the "we are a Microsoft shop" and so only allow Microsoft products. That is, until the CEO wants an iPad. A month after the iPad was released Gartner did a quick poll and three quarters of the CEOs asked had company issued Ipads. How did the companies manage to roll out a proper policy in time, how did they do governance? How did iPads become a strategic tool? It didn't. The CEO asked and the CEO got. Then upper management, upper-middle management, etc. All of a sudden the iPad was a business tool. IPv6 devices that are connected will be so unbelievably cool in ways we can't even imagine now. They will be the cutting edge and they will make your CEO and all your staff so cool. And because they are connected, they will make them cool to their peers. And the ones that are portable - like the keys you can SMS will work without a problem at the CEOs home but not on your antiquated IPv4 network. Guess what will happen then.

3. Management of IPs on an IP by IP basis will become difficult to impossible. So, where does this leave the network guys?  How do you manage 30 devices per person? Should you even? Should these devices talk out of the network? What is allowed on the network? What is not? What should talk to what?

So, what does this mean for the Firewall? Well, I don't know. Already with NAT there are Firewalls that have way too many rules. They have rules that are never used, and those that are too big for their purpose. There are rules that are just plain dumb and ones that are highly critical to the business but no one knows how they were made or why just that closing them would stop business. What happens when everyone in a company has over 30 personal IP devices, some that are on a public network and some that are not, some that talk out, some that are talked to, some that talk amongst each other, some that dial out, some that are expecting connections from others, some that will be for safety reasons (think firefighting equipment that checks pressure on a minute-by-minute basis and phones home with the results), some that will be in use by the coolest people in the organisation (the marketing guys with thick black rimmed glasses), some that will be used by your CEO (and when they stop working, you get notified via the CIO who is pissed off that his boss is unhappy) and most that have some blatantly stupid vulnerability that script kiddies are constantly polling for. Oh, and lastly, this will all happen on port 80 by the way.

Mr Firewall, it is time for you to step up. IPv6 will set some challenges for you.

[PS. While writing this article I was wondering if it would not be a plan to actually scrap internal networks altogether and go for a "GPRS-type" network where everything is all in the open anyhow. How one would protect against vulnerabilities on the devices, I'm not quite sure. Also, you'd need to block your servers off from the open network... or they may be "in the cloud" already. Maybe every one of these devices would need its own little firewall. Discuss.]

[Your Firewall does nothing...yet]

This is the third time I am writing this blog post because I just couldn't seem to get the thought straight and the tone and level right. My first two attempts took a whole bunch of text to say this:

Basically Firewalls came before NAT. NAT is a magic network concept that creates a type of one-way-mirror allowing devices on the inside of the firewall to establish a two way communication session without the other side knowing exactly what device is making the connection and devices outside the firewall can't establish a connection to devices inside the firewall.

(The above paragraph is not totally correct but it is correct enough and stops me having to type a whole networking 101 essay which is besides the point of this post. If you know better exactly what NAT is about then smile smugly, if you don't accept that the above is "correct enough". Either way - read on.)

NAT is so effective that almost half (wild estimate) of hackers' tools and time and thoughts revolve around getting past NAT- the only effective way being to get the inside device to "dial-out". (Think of the protection that NAT affords us as being a door that opens only from the inside and hackers concentrate on getting someone inside the door to open it.)

So, while Firewall rules and policies are weird and wonderful little twisty adventures, NAT pretty much makes them redundant.

And Firewall engineers know this (although may not admit as such). So, then, what is the point of this article?

IPv6 is coming and with it the loss of NAT. We won't need it any more. And we won't want it.

This is my opinion and the network security and general network engineers disagree with me. They argue that NAT is so useful that we will have it around for many years even once IPv6 becomes the norm. Either we will stick with IPv4 private networks inside and IPv6 networks outside or we will have IPv6 networks inside that will remain private.

I have three arguments against this and time will tell whether I am right or wrong.

1. The number of devices will explode. We are well on the way to this already but I think it will accelerate. We have the hardware, we have the software. We just need it all to become easy. So, look around you and imagine what would not benefit from being connected (ignoring security for the moment). Your car keys could beep when you SMS them - what a lifesaver. Your desk could sense when you are behind it. Your chair could auto adjust depending on who was sitting on it. Your desk calendar could be digital. The lighting above you could notify you when the light bulbs are due to run out. They could turn on and off depending on whether someone was in the room. Your desk phone would have an IP address and not a telephone number. That is a lot of IP addresses, now times it by the number of people in a site, then by the number of sites in the company etc. It is starting to add up to a lot of IPs especially since companies are already struggling to allocate IP addresses just for the devices we have now. A company with 2000 employees and each one has 30 devices needing IP addresses would be testing the limits of IPv4.

2. "We are an X shop" is a joke. Most companies stick by the "we are a Microsoft shop" and so only allow Microsoft products. That is, until the CEO wants an iPad. A month after the iPad was released Gartner did a quick poll and three quarters of the CEOs asked had company issued Ipads. How did the companies manage to roll out a proper policy in time, how did they do governance? How did iPads become a strategic tool? It didn't. The CEO asked and the CEO got. Then upper management, upper-middle management, etc. All of a sudden the iPad was a business tool. IPv6 devices that are connected will be so unbelievably cool in ways we can't even imagine now. They will be the cutting edge and they will make your CEO and all your staff so cool. And because they are connected, they will make them cool to their peers. And the ones that are portable - like the keys you can SMS will work without a problem at the CEOs home but not on your antiquated IPv4 network. Guess what will happen then.

3. Management of IPs on an IP by IP basis will become difficult to impossible. So, where does this leave the network guys?  How do you manage 30 devices per person? Should you even? Should these devices talk out of the network? What is allowed on the network? What is not? What should talk to what?

So, what does this mean for the Firewall? Well, I don't know. Already with NAT there are Firewalls that have way too many rules. They have rules that are never used, and those that are too big for their purpose. There are rules that are just plain dumb and ones that are highly critical to the business but no one knows how they were made or why just that closing them would stop business. What happens when everyone in a company has over 30 personal IP devices, some that are on a public network and some that are not, some that talk out, some that are talked to, some that talk amongst each other, some that dial out, some that are expecting connections from others, some that will be for safety reasons (think firefighting equipment that checks pressure on a minute-by-minute basis and phones home with the results), some that will be in use by the coolest people in the organisation (the marketing guys with thick black rimmed glasses), some that will be used by your CEO (and when they stop working, you get notified via the CIO who is pissed off that his boss is unhappy) and most that have some blatantly stupid vulnerability that script kiddies are constantly polling for. Oh, and lastly, this will all happen on port 80 by the way.

Mr Firewall, it is time for you to step up. IPv6 will set some challenges for you.

[PS. While writing this article I was wondering if it would not be a plan to actually scrap internal networks altogether and go for a "GPRS-type" network where everything is all in the open anyhow. How one would protect against vulnerabilities on the devices, I'm not quite sure. Also, you'd need to block your servers off from the open network... or they may be "in the cloud" already. Maybe every one of these devices would need its own little firewall. Discuss.]