New Age of Firewalls

As the holiday season comes and goes this year, families will undoubtedly be inundated with new gadgets that hook into the home wifi network. We will marvel at our high technology prowess, and new found abilities and productivity. Yet, this is a cautionary tale, one that examines our path of no return.

Taking a trip down memory lane, when companies and families first started connecting to the Internet, a basic security measure was necessary: the firewall. All of these hard-wired devices sat behind it, with a path outbound, but no reverse path inbound. One of the first hoaxes on the Internet was the e-mail that warned of the “Good Times” virus. After all, how could one get a virus from ASCII text? Ha, ha, we thought. Simplicity of software would not allow such things to happen, rendering this time as the Golden Age of the Internet, yielding peace and harmony. The World Wide Web was born, and short were the days of dial-up services. Broadband became viable at the consumer level with the introduction of cable modems, and shortly thereafter, a protocol called 802.11, wireless ethernet. Pagers were replaced with cell phone technology. Domain names were snatched up, companies built web sites, and the hunger for content grew. And grew. And grew. And then, on January 9th, 2007, Apple announced the iPhone. It was a three way marriage of networking: phone company networks, wifi networks, and the Internet.

All the while, the firewall was deemed to be the most important part of Internet related computer security. After all it has been there protecting you all of this time, right? Wrong. What people forget is that as time passes, software becomes more and more complex, as do the licensing agreements that accompany them. Does anyone, really, read EULAs? No. And yet, it is in these agreements that the details of our very flawed thinking are revealed.

Moving to today’s commercialized world of techno-wizardry, from a computer security perspective, it is safe to say that we have moved from the Golden Age to the Iron Age, where we live an existence of toil and misery. Why? Well, it all comes down to the firewall. Most people have a firewall that protects their “home” network. A “home” network most likely includes personal, medical, and financial information that not only includes documents, but account access. Family photos and videos, music, movies – it’s all in the mix. And, the poor little firewall has to protect it all from out blazing fast upload speeds (or put another way, theft speeds). Not only does the firewall manage wired connections, but wireless ones as well. Smart phones today use “home” wifi to help save on the data plan tied to the phone provider. We all do this, we save money!

It is this one scenario that best describes the inherit weakness of today’s home based computer security. For example, a gift was given that requires an app to be installed on a smart phone. You click through the license agreement and off and running you are. What fun! It’s magic. In reality, because your smart phone is connected to your home wifi, and the app connects back to the manufacturer of the gift, you now have an attack vector right into the heart of your digital life. The unspoken assumption is that people who sell stuff have thought this through. This is not the case. If people who write operating systems for a living have a hard enough time to make things attack free, then what are the chances that a purveyor of anything trying to meet a market deadline will accomplish this? What about these free gaming apps that kids love to play? What about anything that is IoT? What about any piece of software on your computer? Anything you install today will connect back to some mother ship, and when this happens you are vulnerable. Not only from the mother ship itself, but from the software running at home – both sides.

The spirit of the firewall is dead. There is nothing that can be done. If you think otherwise, then you are living a delusional fantasy. Of course, people who sell sophisticated firewalls will tell you otherwise. After all, public companies have to report they are doing their due diligence to protect themselves, right? And how many attacks and public disclosures do we see a year? How much money was spent? To make matters worse, firewalls today also suffer from vulnerabilities. The Iron Age it is, indeed.

Is there anything that can be done? Yes, and it requires time, thought, discipline, and a willingness to accept complexity, all of which are incongruous with the “instant satisfaction” that we are so desirous of today. Here is a basic chart of what a modern home network should look like:

Firewall Architecture

Firewall Architecture

The hardware is a hypervisor, running virtual machines. The firewall itself is now virtual, managing traffic flows from other virtual machines and their respective networks. The firewall VM has a dedicated physical port, as does the hypervisor. In this example, there are three wireless networks, governed by three separate physical wireless ethernet bridges. There are three types of networks: personal, IoT, and anything else. On the personal network, the general assumption is that this is where all important data exist, data one would rather not see out on the Internet. Ideally, devices that do not phone home should exist here. Unfortunately, this precludes products from Apple and Microsoft. The IoT network should include all of the devices that manage household gadgetry – thermostats, sensors, security, etc. For obvious reasons, this network should not be affected by the personal or third network, the “other” network. This last network is where all of the bluray players, televisions, mobile devices, printers, and guest access should reside. While the IoT network phones home, it pales in comparison to the “other” network. This network is the wild west of security, and should not be considered safe.

Plainly, this installation is far from simple. One machine, five operating systems, five IP networks, ten ethernet bridges – eight virtual, three physical. There is no “instant on”. The machine will take minutes to power on, and should be placed on a UPS in case of power failure.

If this seems too technical, it is supposed to. People make very good salaries supporting such installations. How is a non-technical person supposed to enjoy the merits of such an installation? The sad answer is that they cannot. This is precisely the reason why so many large DDoS attacks can take place using hijacked machines, your hijacked machines.

Comments are closed.