why I don't run a firewall

rant follows

The other week, I was sitting in a training course with a number of my peers. I mentioned that I don't run a firewall on my computer. Their immediate response was, "Then how do you protect from hackers, viruses, ...?"

I tried to explain (by going on my usual tirade) that a firewall is nothing but a crutch. It's a bandaid put over a non-existent (or unidentified) sore in the hopes of preventing infection.

This is all fine and well, and for the general public tends to do quite a bit of good. The problem is, it does act as a crutch, and for agile or power users, does more harm than good.

As a crutch, the firewall acts to provide a false sense of security. It provides a security perimeter, but this perimeter is only effective while the adversary (or adversarial code) remains outside the perimeter. Because of this fact, firewalls have been drawn closer and closer to the core of the problem (the buggy kernel or application code). While developers eventually address the core problem (these days typically in a very short time), firewall developers and other security "experts" leave behind a trail of broken implementations to "mitigate risk".

One of these broken implementations has been to disable network transport on "uncommonly used" ports. While this approach seems reasonable, it has a particularly crippling effect on Internet development, and with little ultimate benefit for even the general consumer.

Consider, for example, the fascist policy Comcast applies to its customers, that of blocking both incoming and outgoing traffic on port 445. This practice still persists and prevents legitimate use of the Internet. It is a forcibly applied firewall and there is no exemption process.

Practices like these have little benefit for the consumer because although they protect a particular vector of attack, they do not resolve the essential problem, and another vector can exploit the same weakness. And because that channel has been limited for legitimate as well as illegitimate use, the industry will simply create another channel to accommodate the limited functionality. This new channel is often just as weak as the original.

The grand effect of this is a temporary benefit to security but an ultimate degradation in the quality of the network. Instead of using the network in the way it was designed and implementing over-arching security protocols (such as IPSec), developers are utilizing one-time security protocols over web transport (such as Skype does for voice communication).

The biggest cost, however, is that which we can't see. It's the applications that aren't developed because of these limitations and the functionality that doesn't exist because this increased variance in Internet functionality has raised the bar beyond that attainable by many. Additionally, it's increased the amount of effort required for all users to effectively operate in this environment. Time that would otherwise have been spent improving the system or creating new products is instead spent jumping through hoops in the name of security.

I would say that for me, my average productivity in an IT environment has been reduced by about 50%, in both professional and personal areas, as a result of information security practices, and that the advantages of these practices are minimal.
Written on December 30, 2006