Firewall. Because why fight hostile actors when you can just fight your teammates ?
Firewall and people behind them are actively hostile to the compagny. Those are relics from decades ago, when people could map the entire internet on their devices.
In 2024, this is nothing but a clown circus. They try to reconciliate an ever-changing world with a never-changing world. So they make exceptions, thousands of exceptions, everything becomes an exception.
And then, they think : hey, we are doing L3/L4, this is the issue ! We fail because we are not L7.
And the circus comes around: corporate TLS mitm. Massive project, custom certificates must be deployed in all and every compagny devices. Thus, exceptions, again more exceptions : what about this device ? We cannot add our certs here. Exception. Ha, this specific stuff cannot be mitmed (maybe they implemented certificate pinning ? good guys). No problem : exceptions !
On top on that, all this cruft is expensive as hell. So, we add more exceptions for stuff that is deemed "secure enough" : google meet / zoom / whatever. Various objects storages (s3 && friends). More exceptions.
At the end, you spent millions, ate thousands of FTE on the project. To build a massive amount of exceptions (which basically allows everything, indeed).
The worst is this: for every exception, you have someone, who wants to work for the compagny, who is blocked from doing this work, who have to wait, argue and beg to finally be allowed to work for the compagny.
(source: experience, I'm a network architect, worked for a couple of multi-billions-$ compagnies)
> Firewall ... And then, they think : hey, we are doing L3/L4, this is the issue ! We fail because we are not L7.
Outside of corporate firewalls, these fractals reappear at the scale of nation-state firewalls.
What do you think of "zero-trust" and "software-defined perimeter" approaches where every network connection is linked to identity and risk assessment?
100 %. Firewalls basically do nothing. If you are running vulnerable software, it won't help. If not, it's not helping, either. It basically only helps in the rare case that you have spectacularly misconfigured something. On the other hand, if a firewall is blocking automatic software updates, it's actually dramatically lessening security.
Firewall and people behind them are actively hostile to the compagny. Those are relics from decades ago, when people could map the entire internet on their devices.
In 2024, this is nothing but a clown circus. They try to reconciliate an ever-changing world with a never-changing world. So they make exceptions, thousands of exceptions, everything becomes an exception.
And then, they think : hey, we are doing L3/L4, this is the issue ! We fail because we are not L7.
And the circus comes around: corporate TLS mitm. Massive project, custom certificates must be deployed in all and every compagny devices. Thus, exceptions, again more exceptions : what about this device ? We cannot add our certs here. Exception. Ha, this specific stuff cannot be mitmed (maybe they implemented certificate pinning ? good guys). No problem : exceptions !
On top on that, all this cruft is expensive as hell. So, we add more exceptions for stuff that is deemed "secure enough" : google meet / zoom / whatever. Various objects storages (s3 && friends). More exceptions.
At the end, you spent millions, ate thousands of FTE on the project. To build a massive amount of exceptions (which basically allows everything, indeed).
The worst is this: for every exception, you have someone, who wants to work for the compagny, who is blocked from doing this work, who have to wait, argue and beg to finally be allowed to work for the compagny.
(source: experience, I'm a network architect, worked for a couple of multi-billions-$ compagnies)