10.2 What a Firewall Cannot Do

As mentioned in the beginning of this chapter, a firewall often becomes the focal point of network security. This is not necessarily a bad thing as long as this focus is accompanied by a strong network security plan. If the firewall is going to be the only security plan, then the network will be extremely vulnerable to attacks.

To make the best use of a firewall it is important to understand its weaknesses. Firewalls are good at blocking ports and IP blocks, or addresses. They can also be good at detecting and dropping malformed packets.

Firewalls are not good at doing a detailed examination of packets. If the problem is in the packet header, such as a spoofing or a smurf attack, a firewall can be an effective tool. On the other hand, attacks that involve sending bad information within a packet ”such a virus or worm ”are much more difficult to stop with a firewall.

Firewalls also cannot defend against attacks that do not go through the firewall. War dialing and attacks that use employee-created back doors into the network will not be stopped by the firewall. While some dial-up connections cannot be avoided, there should be no back doors into a network. All traffic entering the network should pass through the firewall. This makes sense, as an attacker who does a network scan of an IP block is going to find those back entrances anyway, and use them to breach the network.

Firewalls also cannot tell a security administrator when the firewall rules are inadequate. Most firewalls start with a secure rule set, but because the security needs of each organization are different, it is possible to create a rule set that is insecure . Most security experts recommend having at least one person on staff who is certified in the use of the firewall. That person should be able to verify the firewall rule set and ensure the rules are logical, and within the realm of the security policy.

A firewall is also not a network-monitoring tool. Many firewalls are capable of notifying administrators when an attack occurs, but there is some debate as to the prudence of that because the purpose of a firewall is to stop attacks. An IDS is more capable of identifying security violation patterns and notifying administrators. Firewalls also do not monitor the network to determine whether or not servers are available. Separate monitoring servers and software are required for that.

The most important thing to remember about firewalls is that they cannot stop the most common type of attack: internal. Network security breaches caused by employees, or people posing as employees , are the most common type of network attack. These events generally occur behind the firewall and are therefore below the perimeter of the firewall.

This returns to the original point: A firewall is an important part of network security, but it should not be the only security precaution taken. A firewall that is used as part of an overall network security policy is going to be much more effective than one that is the network security policy.