11 What can't a firewall protect against?
Description
This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.
11 What can't a firewall protect against?
Firewalls can't protect against attacks that don't go through the
firewall. Many corporations that connect to the Internet are very concerned
about proprietary data leaking out of the company through that route.
Unfortunately for those concerned, a magnetic tape can just as effectively
be used to export data. Many organizations that are terrified (at a
management level) of Internet connections have no coherent policy about how
dial-in access via modems should be protected. It's silly to build a 6-foot
thick steel door when you live in a wooden house, but there are a lot of
organizations out there buying expensive firewalls and neglecting the
numerous other back-doors into their network. For a firewall to work, it
must be a part of a consistent overall organizational security architecture.
Firewall policies must be realistic and reflect the level of security in the
entire network. For example, a site with top secret or classified data
doesn't need a firewall at all: they shouldn't be hooking up to the Internet
in the first place, or the systems with the really secret data should be
isolated from the rest of the corporate network.
Another thing a firewall can't really protect you against is traitors or
idiots inside your network. While an industrial spy might export information
through your firewall, he's just as likely to export it through a telephone,
FAX machine, or floppy disk. Floppy disks are a far more likely means for
information to leak from your organization than a firewall! Firewalls also
cannot protect you against stupidity. Users who reveal sensitive information
over the telephone are good targets for social engineering; an attacker may
be able to break into your network by completely bypassing your firewall, if
he can find a ``helpful'' employee inside who can be fooled into giving
access to a modem pool. Before deciding this isn't a problem in your
organization, ask yourself how much trouble a contractor has getting logged
into the network or how much difficulty a user who forgot his password has
getting it reset. If the people on the help desk believe that every call is
internal, you have a problem.
Lastly, firewalls can't protect against tunneling over most application
protocols to trojaned or poorly written clients. There are no magic bullets
and a firewall is not an excuse to not implement software controls on
internal networks or ignore host security on servers. Tunneling ``bad''
things over HTTP, SMTP, and other protocols is quite simple and trivially
demonstrated. Security isn't ``fire and forget''.
Continue to:
My Books
