Enterprise firewalls are a thing of the past
Do you have an enterprise firewall? Here's a rule set for you to try:
- Source: ANY
- Destination: ANY
- Protocol: ANY
- Action: ALLOW
Yes, I'm asking you to allow everything across the firewall. Horrors!
But wait a minute. Most modern networks, large or small, do not use public IP address space, so John Citizen cannot connect directly to the systems on the network at will. Outbound connections a significant threat? I don't think so. There are so many ways for users (and malware) to send information out using already available connectivity devices and infrastructure - trying to keep it under tight control will cost a lot and won't stop determined malicious insider (or clever trojan).
If there is any tangible risk resulting from applying the abovementioned firewall rule set, then you have a big problem - insecure infrastrucutre. And you don't solve it with a device that may be located on another continent.
So it's time to stop paying for those stateful inspection applicances, as well as their support and maintenance. Time to openly oppose best practices and regulatory compliance requirements that often make organisations use multiple layers of enterprise firewalls. Get back to the basics securing your applications.
I was looking for the old thread on the Death of DMZ - found it on Susan Bradley's blog (where else?). Time to bring it up again. And to acknowledge the reality - it's not just DMZ that belongs to the past; it's the brandmauer.