Access Across the Firewall
Business trends increasingly are forcing connections through firewalls. For example, your company's suppliers or dealers may take an active role in product design and need access to internal design plans, so you let them pick up new drawings by FTP or give them instant messenger capability. Or new business acquisitions may be joining your team, dragging along their address spaces and existing Internet connections, and they need direct access to internal servers.
Spyware and peer-to-peer products often test firewalls for holes through which they can communicate back to their networks. Do you allow any internal device to use the Internet's DNS services? If so, that hole has probably been found by an attacker; a human intruder may even be using that hole with software such as Netcat (which can tunnel traffic through any port the attacker chooses) to move your company's informationcredit card numbers, for exampleto Internet servers in countries lacking adequate law enforcement.
Trends like these lead many security experts to conclude that the "hardened perimeter" is dead as a concept, but at a time of great attacks (staged both outside-in and inside-out), low-level network attacks keep growing. Therefore, the number of rules that authorize access through the firewall continue to grow; we still need to keep the concept of "state" in our security domains, or servers will be duped. The best answer is a periodic review of the organization's firewalls.