Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 21.5 Special ConsiderationsChapter 21
Next: 22. Wrappers and Proxies

21.6 Final Comments

We feel ambivalent about firewalls. While they are an interesting technology, they are not a cure-all for network security problems. They also are being used to connect many networks to the Internet that should not necessarily be connected. So before you run out and invest your time and money in a firewall solution, consider these points:

21.6.1 Firewalls Can Be Dangerous

We started the chapter by pointing out that a firewall is not a panacea. We will conclude the chapter by making the point again: firewalls can be a big help in ensuring the security of your network; however, a misconfigured firewall, or a firewall with poor per-host controls, may actually be worse than no firewall at all. With no firewall in place, you will at least be more concerned about host security and monitoring. Unfortunately, at many sites, management may be lulled into believing that their systems are secure after they have paid for the installation of a significant firewall - especially if they are only exposed to the advertising hype of the vendor and consultants.

21.6.2 Firewalls Sometimes Fail

The truth of the matter is that a firewall is only one component of good security. And it is a component that is only effective against external threats. Insider attacks are seldom affected in any way by a firewall. Collusion of an insider and an outsider can circumvent a firewall in short order. And bugs, misconfiguration problems, or equipment failure may all result in a temporary failure of the firewall you have in place. One single user, anywhere "inside" your network, can also unwittingly compromise the entire firewall scheme by connecting a modem to a desktop workstation ... and you will not likely know about the compromise until you are required to clean up the resulting break in.

Does this case sound unlikely? It isn't. Richard Power of the Computer Security Institute (CSI) surveyed more than 320 Fortune 500 computer sites about their experiences with firewalls. His survey results were released in September of 1995 and revealed that 20% of all sites had experienced a computer security incident. Interestingly, 30% of the Internet security incidents reported by respondents occurred after the installation of a firewall. This incident rate is probably a combined result of misconfiguration, unmonitored back door connections, and other difficulties.

The CSI study raised a number of questions:

The key conclusion to be drawn from all of this information is that one or more network firewalls may help your security, but you should plan the rest of your security so that your systems will still be protected in the event that your firewall fails.

21.6.3 Do You Really Need Your Desktop Machines on the Internet?

Let us conclude by reiterating something we said earlier - if you have no network connection, you don't need an external firewall. The question you really should ask before designing a firewall strategy is: what is to be gained from having the connection to the outside, and who is driving the connection? This question revisits the basic issues of policy and risk assessment discussed in Chapter 2, Policies and Guidelines.

At many locations, users are clamoring for Internet access because they want access to Usenet news, entertaining mailing lists, personal email, and WWW on their desktop. However, employees often do not want access to these services for purposes that are work related or work enhancing. Indeed, many organizations are now restricting in-house access to those services because employees are wasting too much time on them. Rather than having full network access to your entire corporate network, you might consider using one approach for users who need Internet access, and a different approach for users who simply want Internet access. For example:

Remember that the best firewall is still a large air gap between the network and any of your computers, and that a pair of wire cutters remains the most effective network protection mechanism.[14]

[14] Thanks to Steve Bellovin for this observation.

Previous: 21.5 Special ConsiderationsPractical UNIX & Internet SecurityNext: 22. Wrappers and Proxies
21.5 Special ConsiderationsBook Index22. Wrappers and Proxies