At the Gartner “IT Infrastructure, Operations, and Cloud Strategies” conference here in Las Vegas this week, Chris Wolf from VMWare asked the audience an interesting question in his presentation. Actually, he asked a follow-up that was pretty interesting too.
The main question was:
How many of you have firewall rules that you don’t know what they do?
Per Chris, about 80% of the room raised their hands.
The follow-up, slightly worse, was:
How many of you are afraid to disable those rules because you don’t know what they do?
That got me thinking. In the early 2000’s, while working at General Electric in GE Power, then renamed GE Energy, we had this problem all day long. In fact, there was even a pet name for one of these such devices. They had named a Cisco PIX firewall that was inherited from some business and poorly documented the “PIX of death”.
The problem is that these things were all over the place. I ended up with a project converting an IBM Pheon (it’s a real thing, and it’s the stuff of nightmares) policy into Checkpoint — and that was the same mess. Thousands of poorly documented (poorly, err, usually not at all) rules coming and going with very little rhyme or reason on a network platform that was even less documented. It was a literal nightmare.
So now we have cloud. Things should be better right? We can apply access policy at the virtual server (workload) level, that’s pretty neat. At least one endpoint of the rule is right there so you don’t have to wonder about both ends of the conversation. What’s more interesting is that as we talk Kubernetes containers access policy goes from IP address ( IP <> IP ) to application with some contextual understanding of what’s connecting to what and why. That’s profound.
There are tools being developed today, and some already available, that can ensure that we never get to that place where you look at a firewall rule and wonder why x.x.x.x is allowed to talk to y.y.y.y on udp/7228. At least, that’s the hope.
My point is that we have an opportunity, but we have to choose to take it. You have to choose to take advantage of the security features afforded us in the cloud model, or else we’re going to continue trying to apply outdated security ideals to new technologies… and unfortunately we should all know how that ends.
Oh and before I forget … Chris made a comment that the half-life of a firewall rule is akin to Plutonium. I couldn’t agree more, having lived through that. The thing is, we don’t have the luxury of that kind of mistake.