I'm going to take a novel position on the firewall philosophy debate.
I believe that the firewall provides significant additional security
by providing a tool which assists the network (security) administrator
to do her job.
Wallace's first law of firewalls "The value of the firewall is not
in the hardware or the software, but in the genius and professionalism
of the firewall administrator."
I can't imagine recommending to any client that they deploy the
level of resources appropriate to firewall administration to every node
in the network. The laughter which drove me from the room would cause
permanent damage to my ears. In the real world, my clients can only
afford limited resources for security.
The firewall creates a checkpoint where security is emphasized over
functionality. In that sense, it is a fortified platform from which the
security administrator can control traffic into and out of the network.
Marcus's arguments, apart from being idealistic, omit the administrator
from the firewall. He is an integral portion of the firewall system.
The firewall is a line in the sand. If the network is to be attacked,
it should be attacked here. And I deploy my best network administrator
at that point, to carefully monitor the behavior and security of the
firewall. If I believe that I'm under attack, I can quickly shift to
a higher security posture, shutting down some services, negotiating
some compromises with operations for the duration of the crisis.
[Aside: I'm aware that I'm giving inappropriate short shrift to
both insider attacks, and to modem policy/compliance defects. Those
are, IMHO, intrinsically attacks which are not solved by a firewall.]
Moreover, network administration must involve not only security control,
but configuration control, user management, fault management,
performance management, etc. I don't believe you're doing security
management if you neglect these things. The firewall, and the associated
logs give me insight into the behavior of my network.
The negotiations over which protocols should be allowed provide two
invaluable benefits. First, they give me insight into the real business
needs of my customers. Second, they tell me how senior management
views me. If they don't value the service I'm providing, it is time
to drop back to a lower security posture.
[Aside: That's not a popular idea, and I suspect that Marcus, from his
idealistic point of view will disapprove. But Wallace's first law of
how to be a security officer says "if they give you the title without
the credibility, authority and the face time, then you're not a
security officer, you're a scapegoat." Alternatively, you can take
Lara Baker's observation on security officers. "The job of the
security officer is to measure, educate, and then quit." But that's
another argument.]
Summary - if you consider that the firewall is a system, including
hardware, software, policy, and professional administration, then
I'd argue that firewalls are very much part of the solution. Indeed
I argue that they're a necessary part, early in the solution.
[NO disrespect to Marcus; idealism is good. I just can't afford to
eat it.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
