Firewalls block unauthorized traffic from vulnerable, exploitable listening services. Today, we don't have that many vulnerable services or truly remote attacks. We do get and have vulnerable services, such as the recent OpenSSL Heartbleed vulnerability, but even most of those attacks would not have been stopped by a firewall.
The websites using OpenSSL already opened the ports that OpenSSL needed to function. The vulnerable version of OpenSSL was available for any knowledgeable attacker to compromise. Today, most attacks (and I mean 99.99 percent) are application-layer attacks that require user involvement to succeed. Once the user is tricked into running something, the malicious program executes in the user's computer's memory, and the firewall can't help. The badness scoots past the firewall on allowed ports and executes on the user's desktop.
Firewalls can help only if they prevent attacks against blocked ports. But everyone allows port 80 and 443 into their networks, and those are the two ports that most successful attacks will target. You can't block them because it would bring business to a halt.
Don't believe me? When is the last time you thought, "Wow, if I had just had a firewall enabled, I wouldn't have been successfully attacked"? I'll give you full credit if you can even remember the year.
A lot of firewall vendors already know my personal feelings, and they will often tell me that the problem is only with "traditional" firewalls and that their "advanced" firewall solves the problem. Their advanced firewall is always an application proxy or filter that includes an anti-virus scanner or IDS capabilities. See above. If advanced firewalls worked, we'd all be running them, and our hacker problems would be over.
Security snake oil No. 6: Redundancy
The oft-forgotten third word of the information-security acronym CIA is availability (the other two are confidentiality and integrity). As a concept, availability makes for great sales pitches. The reality, however, is that availability is more snake oil than we might like to admit.
Availability, and its sibling redundancy, drives a significant amount of hardware sales. These days, we have redundant power supplies, redundant hard drives, even redundant motherboards and CPUs. Before redundancy became a thing, I never needed the second unit. It's almost as if vendors give us components they know will fail.
I have a computer that's been running on the same hard drive, motherboard, and power supply for more than 20 years. Never had a problem. I don't even clean out all the dust. But I rarely buy a $100K server or appliance with redundant everything that I don't end up having problems with.
My first fully redundant server system ended up being a hard-earned lesson about the promise of redundancy. The system included a secondary clone of everything, with the backup unit ready to pick up where the failed unit quit, without a millisecond of downtime. I convinced my CEO to spend the extra $100K so we would never have an outage again. That promise lasted two days, when we had our first crash with the resplendent redundant system. We experienced unexpected data corruption, and that corruption was dutifully copied between the first server and the backup unit. Admittedly, the failover was flawless, with the corruption cloned impeccably between systems. My upset CEO didn't want to listen to my explanations of server system backups and RAID levels. He just knew I'd wasted his money on false promises.
Security snake oil No. 7: Smartcards
Almost every company I know that doesn't have smartcards wants to have smartcards. Smartcards are two-factor authentication, which, as everyone knows, is better than one-factor authentication. But most companies think that enabling smartcards in their environments will significantly reduce the risk of hacker attack -- or stop all attacks outright. Or at least that's how it's sold to them.