There is something about a firewall that makes management feel extremely secure. First off, it is remarkable that those outside of the information security domain know what a firewall is, while have no idea what triple-DES, authentication nor certificate authorities are. And it is an almost religious confidence of security that a firewall affords them. Yet more often than not, this level of confidence is for not. The misconception is that many people somehow equate a firewall with comprehensive security, an equation that simply does not jive with reality.
As an example, when you speak to someone in management and ask them to describe their security infrastructure, they will most often reply something to the effect of “we have 5 Check Point firewalls securing our exterior and 7 Cisco PIX’s securing the intranets”. While the previous describes but a modest section of an information security infrastructure, it simply is the wrong answer. A firewall, contrary to popular belief is a small item in the security infrastructure.
From a technical perspective, a firewall is simply a piece of hardware or software that enforces a physical boundary between networks. When most people speak of firewalls, they are relating it to controlling an internal or trusted network from an external or untrusted network. Firewalls also can (and should) be used to secure different departments within a single organization.
Firewall architectural bigots
If you have ever been in a meeting about firewalls, within 10 minutes, you can see (and hear) what an individual's preference is for a particular firewall architecture. On numerous occasions I have heard the declaration “that would have never happened if we would have used a Cisco PIX” and “forget about the hassles in regard to configuring CyberGuard, let’s just go with FireWall-1”.
In the past, the topic of stateful-inspection (a la Check Point) vs. a proxy-based firewall was generally good enough for a few weeks worth of meetings. The firewalls vendors themselves fueled the debate over the merits of their appropriate architectures. As an example, there are well over 20 ICSA certified firewall products[1].
Let me state two very general observations:
· Most current generation firewalls can be, as a rule considered to have the capability to be secure. Time has shown that for the most part, nearly all of the major vendors (and many of the minor vendors) share a similar feature set.
· It is pretty safe to say that most current generation firewalls can largely protect the majority of environments.
Given these two caveats, product selection is almost secondary to a well-secured infrastructure, competent staff, training and policy. Before you think about the specific firewall product, think about what you want it to accomplish with those firewalls. A similar mistake is when enterprises attempt to rollout complex management software such as Tivoli or Computer Associates Unicenter without adequate planning and architecture.
One issue with firewall is not so much which vendor you choose, rather how well configured firewall is. Even after the firewall is installed and configured, ensuring that the underlying operating system is secure and patched is critical. For most systems, whether they are an applications server or firewall, system crashes and other failures are most likely due to user error.
A major problem with a misconfigured firewall is that they often present this false sense of security by causing system administrators to overlook flaws in the underlying operating system. Such an issue is most notable with the various flavors of Windows. As an example, numerous denial of service attacks have succeeded in crashing many a Windows server because of a flaw in Windows that could have easily been corrected had the user applied the appropriate Microsoft service packs and patches.
The importance of constant updating, review and examination cannot be overstressed. The best example of this is when hackers broke into the New York Times web site in September 1998, it generated a lot of bad press for the Times[2] and also for Bellcore, the organization that performed an audit of the web site two years earlier. How well Bellcore performed the audit and how well secure the New York Times web site was in 1996 is known only to those two groups. Yet the Times was clearly lackadaisical in going over two years without an additional audit and scan of their web servers.
Policy, control and enforcement
Now that we have seen that the specific firewall installed is almost secondary, the two critical areas when it comes to firewalls and mainstream security is policy and enforcement.
First off, if there is no policy, then it is impossible for the firewall to be meaningfully configured against something measurably advantageous. This is apparent by the down-to-earth definition of a firewall that comes from Marcus Ranum (creator of the TIS Firewall toolkit, and founder of Network Flight Recorder). Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”.
Besides from a practical perspective, the lack of any type of policy is exacerbated from both a legal and human resources viewpoint. If the security administrator completely misconfigures the firewall and a break-in occurs, are they liable? If there is no policy, it is hard to say yes, and almost impossible to terminate such an individual.
Conclusions
The key item to understand is that it is much more consequential how the firewall in installed, configured and maintained, and that the appropriate security policies exist and are enforce, rather than what specific firewall product was chosen.
[1] See https://www.icsalabs.com/icsa/main.php?pid=gddfg
[2] Hackers break into New York Times website http://cnn.com/TECH/computing/9809/13/nyt.hacked/index.html