a36b11ea bird

The Firewall Emperor Has No Clothes

Many people buy a network firewall and hoist a mission accomplished flag over security. The magic box prevents the bad of the Internet from infecting the good of the interior. But did you know the firewall itself can be taken over, or other internal resources can be traversed, just by your own browser?

As a user, whatever your browser can get to, JavaScript running in it can get to it. Your firewall allows all outbound. Thus if I can influence you to a site with some bad JavaScript, I can connect to something inside. That might be the administrative interface of your firewall. It could be your payroll system. O firewall where art thou in my time of need?

The solution is Defense in Depth. Stop thinking about security as a perimeter, start thinking about it as user+resource pairs. Look at a Zero Trust Architecture, its simpler than the other micro-segmentation approaches out there.