SAN FRANCISCO — In a world where the perimeters are dissolving, are firewalls becoming obsolete as a mechanism for enforcing network perimeter security?
In their keynote presentation at RSA Conference 2018, “How Do I Get My Company to Ditch the Firewall?,” Akamai Technologies’ CSO, Andy Ellis, and Josh Shaul, vice president of web security, argued the corporate firewall can no longer be considered the primary means of protecting enterprise resources, and other approaches to network perimeter security would be both more secure and offer users a better experience.
Ellis told SearchSecurity that firewalls are “not obsolete, in that you’re always going to have some network assets. But, yes, they’re obsolete in the idea of using your firewall as an access-control mechanism instead of using it for access blocking.”
Akamai knows firsthand about the collective misuse of firewalls. “The challenge that we see is that too many companies — and we were one of them, I’m not going to sit here and say Akamai has always been perfect — basically have this network enclave that we call the corporate network and we say, well, anything that’s behind the firewall trusts everything [else] behind the firewall,” Ellis said.
The problem with depending on firewalls to provide network perimeter security is the increasing use of mobile and BYOD in the enterprise means there are more ways for attackers to infiltrate the network.
“That’s how a lot of breaches happen: Adversaries get in once, get click-to-own malware [and] move laterally inside the enterprise. And it’s all because, fundamentally, we’ve built our whole mental model of security on this sort of physical perimeter notion that says, ‘Once you’re in my building, I trust you,’ rather than having something down at the application layer, where every application verifies the identity of every user trying to connect into it so that it doesn’t trust you just because you happen to share the same physical space with it. That mental model breaks down once people stop sharing the physical space — if it ever actually worked in the first place,” Ellis said.
“It’s simply impossible today to create an internal trusted and safe computing environment. The world has become too complex; it’s too interconnected,” Shaul said during the keynote presentation, which described Akamai’s own shift away from traditional perimeter security.
Ellis said Akamai began pursuing its new approach to network perimeter security after the Operation Aurora attacks in 2009, in which Chinese hackers broke into enterprises by gaining access to networks through firewalls. Ellis said the attack was notable because the adversaries broke in, targeted malware, went after the sys admins, moved laterally and then went after their target: the company’s financial reporting systems.
Targeting the system administrators was the key to the success of the Operation Aurora attacks because so many systems assign trust implicitly to them. By targeting the administrators, attackers can gain wide access to enterprise systems inside the network perimeter.
Ellis explained Akamai’s goal is to remove the firewall as gatekeeper to internal systems and to instead do application-level security for every request, no matter where the request originates. In other words, Akamai embraced the zero-trust model.
“We now are so far along in that journey that for many of our users, most of their interaction with our corporate systems happens over the web. They’re sitting in their home, and while they still have a VPN client, our goal is, within six months, to get rid of that VPN client for most of the users who most of the time they’re just connecting to a public-facing web server, authenticating with a TLS certificate and with two-factor authentication. And then they get access to the content they need,” Ellis said.
“Every app is continuously authenticating every user,” he added. “We’re able to run web application security services because we’ve moved those apps into that common framework. And we’re really getting to a point that the corporate perimeter is going to shrink down, and those firewalls aren’t used to broker access in anymore; it’s more about what access do you let out. We let our apps talk ‘out’ to this infrastructure, rather than letting the users talk back in.”
Akamai’s approach builds on the zero-trust model featured in Google’s BeyondCorp program, which posits that all networks should be treated as untrusted, and access should be granted based on what is known about the user and the device from which requests are being made.
What replaces the firewall for network perimeter security?
Rather than deploying security through firewalls at the network perimeter and assigning trust to anyone who has gotten inside, Ellis suggested the solution is to treat all users, no matter where they are located, as needing to be authenticated for all accesses of network resources or applications.
According to Ellis, all that was necessary to gain access to a corporate application under the old, firewall-based model was to originate access from inside the perimeter, which, in many cases, is accomplished by connecting to it through a VPN. Users inside the firewall got access to the application, while users outside the perimeter could not.
Under the new model, all access to the application is mediated through a cloud proxy configured to authenticate the user, using multifactor authentication tied to the user’s device. Not only does this simplify the process for all users, it also can strengthen security, Ellis said. With all access mediated through the same common layer, Akamai is able to verify legitimate users, but also monitor for adversaries who have compromised legitimate end users to break into the company’s applications. It can also watch “[domain name system] traffic for people who are compromising machines that are trying to connect out to command-and-control systems.”
Ellis said he believes the new way of granting access and security to corporate environments will take hold with enterprises.
“The whole basic model is to say, wherever your user is, anywhere in the world, your enterprise treats them the same way that your bank treats you. Your bank doesn’t let you inside the firewall to interact with the banking application, and we think that’s the right model for enterprises — that we should treat our employees more like consumers, rather than something inside the firewall.”