Are firewalls dead? Is there any value in maintaining any sort of perimeter security? Firewalls are important technology, which explains why they're added to so many devices. Firewalls aren't going away; in fact, they seem to be popping up in many unexpected places. What's changing is foolish total dependence on firewalls; organizations also need server and application security. What's also changing is the increasing sophistication of firewall inspection. After all, some server operating systems can be configured to drop source-routed packets. But how do you apply that targeting consistently across 800 production servers, 400 test servers, and the 100 or so old servers that some customers never want to give up? What will never change is the need for proper and careful firewall administration.
Much of the firewall's security rests in the network design that the organization places around the firewall. Create a lot of paths around the firewall, and the firewall becomes a worthless network ornament. Even if the firewall is in the right connectivity vortex, firewall administrators must configure the firewall to stop low-level attacks. It must be configured to use the available security features and must have the correct contextual clues placed on the interfaces. One of the biggest perimeter security failures is caused by poor firewall architectural design. Failure at that level makes rule examination worthless.
Future articles in this series will discuss firewall rule evaluation, discussing qualitative and quantitative measures of risk. We'll consider different contexts and how to rate them. I'll even lay out my system of risk evaluation for rules that can allow two organizations to discuss the risk of their firewall rule sets, without revealing the actual rulesa system I've been developing for more than a year, coming out of my burrow to discuss key points with security friends around the world.
I'll discuss firewall evaluations and a system that helps you to determine which system is best for an organization with certain characteristics. Of course, we won't have the topic completed until we discuss tools and procedures that can test your firewall's settings and resilience. This will help firewall administrators to do their own intrusion study.