Do you mean the position that we need firewalls?
Yes, was curious to understand reasoning behind position.
I would have thought that that the need for firewalls was self evident.
The industry is full of bad ultimately harmful ideas which see widespread adoption for locally optimal reasons. It is far from self-evident to me firewalls do not fall squarely into this category.
You are stating that firewalls are harmful. What back this statement up?
The smart devices we use today all tend to have a variation on mainstream OS's. All of which come with some form of host based firewall. Thus the management of these devices from a firewall perspective is even easier. So much so that it is now possible for most marginally technical people to ensure they are properly configured at least at the time of device activation / installation.
I think today anything claiming to be a "smart device" needs no firewall because it accepts no incoming connections. It operates by calling home to the vendor. If you want to access your "smart device" you connect to the vendors server and ask nicely to please access your own gear. A mega ultra cloud firewall...!!1!!!!1!
More generally would be interested in understanding why a device with a specific purpose is more secure when it listens for commands through an internal firewall vs the same listener without? Is a bluetooth headset more secure behind a Bluetooth firewall? Perhaps a concrete example...
Smart device do not only initiate connections. If you use a stock OS as a base for you smart device you are also accepting the fact that these devices will also implement service listeners. You may have a crack team of coders that does a very good job of inspecting each service and only allowing the bare minimum and none that have rogue listeners. But your developers are not always able to review each line of code that is used in patches moving forward. Things change. And they should change. As things improve a good vendor will patch these devices. So Where am I going to invest my effort. I'm going to invest effort into making sure my product works perfectly. If I spend a tiny amount of time ensuring that things are blocked with a firewall I don't have to worry if some changes in apps and services that I'm not in total control of all of a sudden have listeners. I could care less if the firewall is blocking them. This means I'm investing far less effort into on going maintenance and getting the same secure result. Easy win for me.
The interesting thing is you do have a firewall on bluetooth. You do if you use bluetooth to carry IP traffic. This is of course if you use a firewall. So yah you are more secure from bad blue tooth devices if you have a firewall.
Why do you feel firewalls are effective? There seems to be an implicit assumption that firewalls are effective... what makes that true?
What if all the worlds firewalls were thrown in the trash heap and in their place systems were configured to accept only Authenticated, Authorized, Integrity protected, Encrypted inquiries from acceptable locations?
Would that world have better or worse security outcomes than todays world? I think no question it would be better.
No more making security decisions by ports and trivially spoofed address headers or checking worthless boxes on a compliance chart only to have the whole house of cards collapse when Debbie in accounting clicks on the wrong untrusted email message with spoofed from header.
Instead of administrators configuring ports and addresses in firewalls what if they instead spent that same time managing the only thing that means squat in a secure system ... TRUST
It is not like the technology does not exist. People ignore it because it is easier to hide behind their precious firewalls. So they allow it and by extension allow their suppliers to continue to supply them with crap.
So how do you think acceptable locations are defined in this age? It's usually the firewall. It's almost always the firewall. Authetication and authorization are a different part of the comms stack.
Firewalls are not the end all and be all of protection. They are a part of the protections you should have in place. No one should ever feel completely safe with only a firewall. But you can feel safer with one. So Debbie does down load a bad file. And the file goes nuts. One of the common things these trogans do is they start to test other devices on the local network looking for more holes. Well if you do have firewalls in place this attack vector is stopped. Debbies machine is still probably cooked. You file shares are probably toast. But direct access to local machines is protected. Again this is only part of the solution. Corp AV software should also be present on all nodes. Intercepting viruses when they do start to infect things. And so on.
All of my builds have firewalls. It really is a no brainer. It costs me nothing in cash, time, or effort. I'm also religious about ssl which is far harder to enforce. I also enforce design patterns that use API's rather than RPC metaphors. All payloads that exit my applications are scanned for virus's. aka something that hits disk. In addition to all this I try to use NoSQL over SQL stores. Which mitigates most of the SQL injection issues.
There are a lot of bad trends in tech. Being security conscience is not one of them. Use the tools that are given you to secure a system. Simply because the people you hire are never going to be as smart of a globe full of resources that may want to harm you. Why not draw from this same pool of people to help secure your systems. Use firewalls. Use AV. Use IDS if you can.
Note: IDS is now starting to become mainstream. Thank goodness. With out it our home networks would be over run in ms.