We feel ambivalent about firewalls. While they are an interesting technology, they are not a cure-all for network security problems. They also are being used to connect many networks to the Internet that should not necessarily be connected. So before you run out and invest your time and money in a firewall solution, consider these points:
We started the chapter by pointing out that a firewall is not a panacea. We will conclude the chapter by making the point again: firewalls can be a big help in ensuring the security of your network; however, a misconfigured firewall, or a firewall with poor per-host controls, may actually be worse than no firewall at all. With no firewall in place, you will at least be more concerned about host security and monitoring. Unfortunately, at many sites, management may be lulled into believing that their systems are secure after they have paid for the installation of a significant firewall - especially if they are only exposed to the advertising hype of the vendor and consultants.
The truth of the matter is that a firewall is only one component of good security. And it is a component that is only effective against external threats. Insider attacks are seldom affected in any way by a firewall. Collusion of an insider and an outsider can circumvent a firewall in short order. And bugs, misconfiguration problems, or equipment failure may all result in a temporary failure of the firewall you have in place. One single user, anywhere "inside" your network, can also unwittingly compromise the entire firewall scheme by connecting a modem to a desktop workstation ... and you will not likely know about the compromise until you are required to clean up the resulting break in.
Does this case sound unlikely? It isn't. Richard Power of the Computer Security Institute (CSI) surveyed more than 320 Fortune 500 computer sites about their experiences with firewalls. His survey results were released in September of 1995 and revealed that 20% of all sites had experienced a computer security incident. Interestingly, 30% of the Internet security incidents reported by respondents occurred after the installation of a firewall. This incident rate is probably a combined result of misconfiguration, unmonitored back door connections, and other difficulties.
The CSI study raised a number of questions:
Perhaps the firewall installation at some sites was faulty, or too permissive.
Perhaps users internal to the organization found ways to circumvent the firewall by connecting unauthorized modems to the network, thus creating back doors into the network.
Perhaps the use of firewalls resulted in feelings of overconfidence and a resulting relaxation of other, more traditional controls, thus leading to problems.
Perhaps the sites using the firewalls are more attractive targets than sites without firewalls, and thus attract more attacks.
Perhaps, as suggested by many other studies, the majority of incidents continue to be caused by insiders, and these are not stopped by firewalls.
Perhaps the sites didn't really have a firewall. Over 50% of the companies that claimed to have a "firewall" merely had a screening router.
The key conclusion to be drawn from all of this information is that one or more network firewalls may help your security, but you should plan the rest of your security so that your systems will still be protected in the event that your firewall fails.
Let us conclude by reiterating something we said earlier - if you have no network connection, you don't need an external firewall. The question you really should ask before designing a firewall strategy is: what is to be gained from having the connection to the outside, and who is driving the connection? This question revisits the basic issues of policy and risk assessment discussed in Chapter 2, Policies and Guidelines.
At many locations, users are clamoring for Internet access because they want access to Usenet news, entertaining mailing lists, personal email, and WWW on their desktop. However, employees often do not want access to these services for purposes that are work related or work enhancing. Indeed, many organizations are now restricting in-house access to those services because employees are wasting too much time on them. Rather than having full network access to your entire corporate network, you might consider using one approach for users who need Internet access, and a different approach for users who simply want Internet access. For example:
Have a disconnected network of a small number of machines that are connected to the Internet. Users who really need Internet access are given accounts on these machines for as long as they continue to need access. A tape drive or serial-line UUCP connection is made available to transfer files between these machines and the internal network without exposing all the internal nodes to IP-based attacks.
Use a hard-wired UUCP connection to transfer email between your internal network and the Internet. This connection will allow your employees to exchange email with other sites for work-related purposes, but will not expose your network to IP-based attacks.
Provide remaining users with some form of account access through an ISP outside your company. Then, on their own time, your employees can access the Internet (and possibly some other special services). If you negotiate with the ISP for a large block of accounts for your employees, you may be able to get a very good rate. The rate may be so good, in fact, that you may wish to use company funds to subsidize the accounts, and have low-cost personal Internet access (at home) be another benefit for working at your company. This solution is probably cheaper than a firewall, a major break-in, and the time lost to employees surfing the WWW at work.
Remember that the best firewall is still a large air gap between the network and any of your computers, and that a pair of wire cutters remains the most effective network protection mechanism.
 Thanks to Steve Bellovin for this observation.