PL  |  NL  |  FR  |  ES  |  PT  |  IT  |  DE  |  DK  |  NO  |  SE  |  FI  |  GR  |  JP  |  CN  |  KR  |  RU  |  AE

  Report this article

More information

The Confinement Problem

Digital Signatures

Information flow policies

Common Threats

Example Information Flow Controls

What is Exploitation

Trojans and Backdoors

Packet Sniffing: Sniffing Tools Detection Prevention Methods

Access Control Lists ACL

Requirements for a Security Consultant

The Principles of Secure Computing Design

Fenton`s Data Mark Machine

Academic Computer Security Policy

Host Identity

Classical Cryptographic Key Exchange and Authentication

One pitfall in the world of firewalls is that security can be configured so stringently that it can actually impair the process of networking. For example, some studies suggest that the use of a firewall is impractical in environments where users critically depend on distributed applications. Because firewalls can implement such strict security policies, these environments can become bogged down. What they gain in security, they lose in functionality. To some, this might be viewed simply as an inconvenience. However, the problem can bring about long-term effects that are far more damaging. For example, inevitably all administrators face the classic square off between user X who needs to do Y, and the security problems that surround her request. Although the dilemma touches on a number of information security principles, one of the largest being policy definition, it can also cross some organizational boundaries as well. If, for example, the technical staff loses its battle to block service Y, they then run the risk of having an organiza tion-wide precedent set. This can lead to the security personnel getting crushed by the business people, and sooner or later something is opened up on the firewall that really shouldn't be. On the other hand, smart organizations know to examine these situations on a case-by-case basis and act accordingly. Unfortunately, we don't all work for "smart" organizations….

Firewalls can help create sticky situations. The solution is to know how to avoid these situations, and know what to do when you do lose a battle. For example, if some bone-head VP gets the approval to allow third-party access to the payroll system through the Internet, rather then lose sleep over it, consider ways of controlling the damage. Segment the payroll systems onto a separate subnet, look to implement stronger system-level audit logs, work at getting an Intrusion Detection System (IDS) implemented on the questioned segment, and so on. Many times, perceived losses can be turned into long-term victories, if you play your cards right.

Although users might seem more like pesky annoyances then necessary evils, it's important to remind yourself that the network is there for one reason: connectivity. Although security is an important part of an administrator's responsibility, so is basic usability. At the end of the day if the users can't do their job, we're all going to be in trouble. Good administrators know which battles to fight, and which ones to work on from another angle…

Another more serious issue is that of a perceived and false sense of security. Administrators who are content that their firewalls will protect them from all evils are setting themselves up for a rude awakening. Part of the challenge of deploying a firewall is to help build a feeling of safety without overdoing it. Fun challenge, huh? The reason that this balance is so important is that, without secondary levels of defense, you are placing all your eggs in one basket. If your firewall is broken, your internal networks can easily be destroyed. Firewalls are part of a security model; they shouldn't be the security model because they have their own set of downfalls. Remember, tiered security models are your friend.

There is hope. Five years ago, we were fighting battles with the CIOs to get firewalls in the first place. Now we're fighting battles trying to convince them that just a firewall isn't enough. Hey, at least we're making progress.