Plus, in over 20 years, I've never reviewed a hardware firewall that had up-to-date firmware. They all contained public vulnerabilities that would allow attackers to get in only if they tried. It's ironic. The device that's supposed to protect the castle is a bridge across the moat.
One of the biggest reasons why firewalls don't matter is how every app and service being developed today works over either port 80 or 443, two ports you can't and never could block. The bad guys know this, and many years ago, they coded their hacking tools and malware to work over those same ports. If you find a malicious program that doesn't work over those two ports, I'll show you an old program or one that doesn't survive long in the wild.
The smart hacker money has been sailing through the guaranteed open firewall ports for many years. Today, 99 percent of all successful attacks are client-side attacks, in which the end-user runs something he or she shouldn't -- and in those cases, the firewall doesn't help at all.
But the real test of whether or not firewalls have any value is whether or not PCs with firewalls get hacked less than PCs with firewalls. This used to be true -- but it hasn't been true for a long time.
Still don't believe firewalls are going away? In truth, that process is already happening.
We all know that most future computing devices will not be traditional desktop or laptop computers. Do you think that our pad devices, smartphones, mobile devices, and computer-enabled TVs are going to have firewalls -- or that their users that will understand firewalls well enough to configure them, especially when the firewall admin experts of our current networks can't do it? Please! In the future, which is now, firewalls are already dead.
True, in a perfect world, firewalls would have real value. The recent Remote Desktop Protocol exploit is a case in point: Microsoft recommended that affected clients block RDP port 3389 at perimeter firewalls as one of their protective work-arounds. But everyone I know, instead, installed the emergency patch. They didn't reconfigure the firewalls blocking port 3389. They did something else. This has been the case for every similar sort of exploit over the last decade.
Heck, even when we block attacks at the firewall, the defense doesn't work. One of the most destructive worms in the past decade was MS-Blaster. Initially, everyone relaxed because the port that MS-Blaster attack was blocked by nearly every perimeter firewall by default. A day later, every network in existence was infected by MS-Blaster. It turns out that perimeter firewalls have less value when you're riddled with infected mobile devices, VPNs, and other permeable holes laying open the false security that has always been granted by firewalls.
The cost of having a firewall simply outweighs the benefits. Me? I've known for a long time that firewalls were dead. It's just a matter of time until they disappear.
This story, "Why you don't need a firewall," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.