The Recent CyberWeapon Leak is a Reason to Layer Firewalls, Not to Stop Layering
As I discussed in an article in Inc. magazine last month, one of the most dangerous collections of cyberweapons to ever appear online recently surfaced, placing businesses, government agencies, and private citizens of nations around the world at increased risk of cyberattacks. The cache of cyberweapons was allegedly stolen from the US Government’s National Security Agency (the NSA) or some related agency, and is believed to have been used in the past by the US Government to hack into parties on which it wanted to conduct surveillance or to which it wanted deliver harm.
The entity who posted the material online (whether a group or individual) used the name "The Shadow Brokers" and claimed to have stolen the material from "The Equation Group" (widely believed to be either part of the NSA or an organization associated with it).
I won’t go into all of the details of the leak – you can read more information it in my relevant Inc. column entitled Hackers May Have Stolen The NSA's Most Powerful, Top-Secret CyberWeapons – but I did want to discuss one of the responses that I have heard more than one technology professional make, and with which I strongly disagree.
Several of the cyberweapons that have surfaced exploited zero-day vulnerabilities in brand name firewalls that were widely deployed as of just a few years ago when the cyberweapons are believed to have originally been stolen. The vulnerabilities were severe, and the weapons exploiting them did so in powerful fashions – anyone armed with the tools, for example, might have been able to penetrate networks protected by CISCO PIX and ASA firewalls, and potentially spy on anyone using their VPN capabilities for secure communication with those networks.
Likewise, the cache included cyberweapons that exploit vulnerabilities in Fortinet, Juniper, and other firewalls (those vulnerabilities appear to have had patches available for several years – but the weapons likely existed before the patches did – never mind the fact that not all firewalls installed around the world are up to date with patches).
It is common security practice to layer firewalls in order to mitigate against vulnerabilities. By layering multiple firewalls from different vendors, organizations hope that if a weakness is discovered by hackers in one firewall, attackers still cannot easily breach the organization because they would have to pierce the other non-vulnerable security devices. The recent leak, however, showed clearly that layering does not always suffice – The Shadow Brokers had in their possession tools that penetrate multiple firewalls from multiple vendors, and prior to the availability and application of patches, could have gone right through multiple lines of defense.
I have heard, therefore, multiple pros say that “layering is dead,” or some variant of that quote dismissing the value of the layered approach. Their dismissals are not simply because layering was found to be ineffective, but because they believe that if layering is not effective, the approach’s classic drawbacks likely outweigh its benefits. For those who have never layered: One of the primary drawbacks of layering different technologies is the increased risk of human errors or technical issues as administrators need to implement and manage a more complex, heterogeneous security infrastructure.
Despite the recent breach and layering’s classic drawbacks, I strongly disagree with any assertion that layering is a bad idea. I believe that layering is a good idea – and, to some extent, the recent leak even shows why.
Yes, it is possible that parties that have technology to penetrate one layer have the ability to penetrate all layers. But that is likely the exception, and not the rule. While the recent leak of cyberweapons included tools that penetrate multiple firewalls from multiple vendors, a leak of that sort is extremely rare, and few parties likely have the ability to perform R&D with enough resources, and with enough secrecy, to create such cyberweapon caches. More commonly, major vulnerabilities are not discovered and/or disclosed in multiple products at exactly the same time, so, while it is true that some sophisticated party such as the NSA may have secret cyberweapons that can penetrate all of the layers, most, if not all, criminals and hacktivists likely don’t.
Even if you suspect that the NSA or other nation-state-agencies can breach your organization, therefore, layering is still a good idea because you still should not allow criminals and other less sophisticated parties to do so. This is no different that the physical world: you lock your front door even though in nearly all homes the lock in use can be picked by a locksmith with ease.
More optimistically, it may be that no vulnerabilities have been discovered by anyone in the technology utilized in least one of your layers – or that no known exploits exist. Also, if someone discovers a vulnerability in the firewall used at one layer and reports it, any cyberweapons that exploit that vulnerability may become impotent. We even see that now – patches exist for some of the layers for quite some time; organizations that had deployed those patches prior to the surfacing of the cyberweapons could not have been easily breached by anyone who had the weapons – even if the vulnerable technology was also used at some layer.
Furthermore, by deploying multiple offerings you may be able to better leverage multiple other forms of security technology (e.g., looking on DMZ and internal network segments for anomalous traffic, network access control, etc.), than you would if all the layers use the same system.
Of course, “layering” as it normally is explained, includes not only multiple firewalls – but layering different forms of technology. But, even when it comes just to firewalls, the bottom line is that layering still makes a lot of sense.
About the On-Demand Webinar
About the Webinar