The Internet, like any other society, is plagued with the kind of jerks
who enjoy the electronic equivalent of writing on other people's walls with
spraypaint, tearing their mailboxes off, or just sitting in the street
blowing their car horns. Some people try to get real work done over the
Internet, and others have sensitive or proprietary data they must protect.
Usually, a firewall's purpose is to keep the jerks out of your network while
still letting you get your job done.
Many traditional-style corporations and data centers have computing security
policies and practices that must be adhered to. In a case where a company's
policies dictate how data must be protected, a firewall is very important,
since it is the embodiment of the corporate policy. Frequently, the hardest
part of hooking to the Internet, if you're a large company, is not
justifying the expense or effort, but convincing management that it's safe
to do so. A firewall provides not only real security--it often plays an
important role as a security blanket for management.
Lastly, a firewall can act as your corporate ``ambassador'' to the Internet.
Many corporations use their firewall systems as a place to store public
information about corporate products and services, files to download,
bug-fixes, and so forth. Several of these systems have become important
parts of the Internet service structure (e.g.: UUnet.uu.net, whitehouse.gov,
gatekeeper.dec.com) and have reflected well on their organizational
sponsors.
(2) What can a firewall protect against ?
Some firewalls permit only email traffic through them, thereby protecting
the network against any attacks other than attacks against the email
service. Other firewalls provide less strict protections, and block services
that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated
interactive logins from the ``outside'' world. This, more than anything,
helps prevent vandals from logging into machines on your network. More
elaborate firewalls block traffic from the outside to the inside, but permit
users on the inside to communicate freely with the outside. The firewall can
protect you against any type of network-borne attack if you unplug it.
Firewalls are also important since they can provide a single ``choke point''
where security and audit can be imposed. Unlike in a situation where a
computer system is being attacked by someone dialing in with a modem, the
firewall can act as an effective ``phone tap'' and tracing tool. Firewalls
provide an important logging and auditing function; often they provide
summaries to the administrator about what kinds and amount of traffic passed
through it, how many attempts there were to break into it, etc.
This is an important point: providing this ``choke point'' can serve the
same purpose on your network as a guarded gate can for your site's physical
premises. That means anytime you have a change in ``zones'' or levels of
sensitivity, such a checkpoint is appropriate. A company rarely has only an
outside gate and no receptionist or security staff to check badges on the
way in. If there are layers of security on your site, it's reasonable to
expect layers of security on your network.
(3) What can't a firewall protect against ?
Firewalls can't protect against attacks that don't go through the
firewall. Many corporations that connect to the Internet are very concerned
about proprietary data leaking out of the company through that route.
Unfortunately for those concerned, a magnetic tape can just as effectively
be used to export data. Many organizations that are terrified (at a
management level) of Internet connections have no coherent policy about how
dial-in access via modems should be protected. It's silly to build a 6-foot
thick steel door when you live in a wooden house, but there are a lot of
organizations out there buying expensive firewalls and neglecting the
numerous other back-doors into their network. For a firewall to work, it
must be a part of a consistent overall organizational security architecture.
Firewall policies must be realistic and reflect the level of security in the
entire network. For example, a site with top secret or classified data
doesn't need a firewall at all: they shouldn't be hooking up to the Internet
in the first place, or the systems with the really secret data should be
isolated from the rest of the corporate network.
Another thing a firewall can't really protect you against is traitors or
idiots inside your network. While an industrial spy might export information
through your firewall, he's just as likely to export it through a telephone,
FAX machine, or floppy disk. Floppy disks are a far more likely means for
information to leak from your organization than a firewall! Firewalls also
cannot protect you against stupidity. Users who reveal sensitive information
over the telephone are good targets for social engineering; an attacker may
be able to break into your network by completely bypassing your firewall, if
he can find a ``helpful'' employee inside who can be fooled into giving
access to a modem pool. Before deciding this isn't a problem in your
organization, ask yourself how much trouble a contractor has getting logged
into the network or how much difficulty a user who forgot his password has
getting it reset. If the people on the help desk believe that every call is
internal, you have a problem.
Lastly, firewalls can't protect against tunneling over most application
protocols to trojaned or poorly written clients. There are no magic bullets
and a firewall is not an excuse to not implement software controls on
internal networks or ignore host security on servers. Tunneling ``bad''
things over HTTP, SMTP, and other protocols is quite simple and trivially
demonstrated. Security isn't ``fire and forget''.
(4) What about viruses ?
Firewalls can't protect very well against things like viruses. There are
too many ways of encoding binary files for transfer over networks, and too
many different architectures and viruses to try to search for them all. In
other words, a firewall cannot replace security-consciousness on the part of
your users. In general, a firewall cannot protect against a data-driven
attack--attacks in which something is mailed or copied to an internal host
where it is then executed. This form of attack has occurred in the past
against various versions of sendmail, ghostscript, and scripting mail user
agents like OutLook.
Organizations that are deeply concerned about viruses should implement
organization-wide virus control measures. Rather than trying to screen
viruses out at the firewall, make sure that every vulnerable desktop has
virus scanning software that is run when the machine is rebooted. Blanketing
your network with virus scanning software will protect against viruses that
come in via floppy disks, modems, and Internet. Trying to block viruses at
the firewall will only protect against viruses from the Internet--and the
vast majority of viruses are caught via floppy disks.
Nevertheless, an increasing number of firewall vendors are offering ``virus
detecting'' firewalls. They're probably only useful for naive users
exchanging Windows-on-Intel executable programs and malicious-macro-capable
application documents. There are many firewall-based approaches for dealing
with problems like the ``ILOVEYOU'' worm and related attacks, but these are
really oversimplified approaches that try to limit the damage of something
that is so stupid it never should have occurred in the first place. Do not
count on any protection from attackers with this feature.
A strong firewall is never a substitute for sensible software that
recognizes the nature of what it's handling--untrusted data from an
unauthenticated party--and behaves appropriately. Do not think that because
``everyone'' is using that mailer or because the vendor is a gargantuan
multinational company, you're safe. In fact, it isn't true that ``everyone''
is using any mailer, and companies that specialize in turning technology
invented elsewhere into something that's ``easy to use'' without any
expertise are more likely to produce software that can be fooled.
(5) What is the difference between Viruses, Spyware, and Spam ?
A virus is a program which can self-replicate and insert itself into other applications on your computer. They vary in the amount of damage they can do, from simply slowing your computer down so much it becomes almost unusable to the worst scenario, which is destroying data, disabling software and deleting files. A Spam is unsolicited or junk email that clogs up your email inbox. The best way to deal with spam is not to open it or reply to it. Use your spam filter and if you are using a email site such as Gmail, be sure to report the spam, as every piece reported is added to a database. Be aware of which websites you enter your email address on, make sure the site states they will not sell your details onto a third party. When you sign up to some legitimate sites they will try to opt you in to as many advertising emails as possible, simply un-tick all the opt-in boxes. A Spyware is software which gathers information about you and transmits it to an unauthorised third party. This can cover everything from what sites you go to on the web to logging your keystrokes and finding out passwords and PINs.