The following text is copyright 1996 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Installing Complacency

It seems that everyone has to have a firewall these days.

Corporate managers want to protect their assets from the evil doers out there on the Internet. Countries and corporate moralists want to protect their employees from the evil things out there on the Internet. China seems to be looking to its past for inspiration and thinking about building The Great Firewall to protect its billions of potential Internet users. Auditors now seem to have a little checkbox for firewalls--you have one, good you pass, now on to the next checkbox.

Don't get me wrong, I think firewalls can be good things. Of course you have to take care to match your requirement set to the function set of the device you select. If all you want to do is block TFTP (trivial file transfer protocol) and NFS (network file system) then you can program filters into your border router and call it a firewall. If you want to get fancier, controlling who on the inside can do what looking out and who on the outside can do what looking in, then you will most likely need to get one of the devices specifically built as firewalls.

You can get quite fancy with these devices, including blocking or permitting employee access to specific web sites, permitting customer access only to specific internal web servers, or even blocking email from Bill to Fred. Firewalls can give you lots of much needed control over the data path between us and them.

What big difference does it make to the security of your network to put a firewall between it and the rest of the Internet? If you assume that all the bad people are "out there" a firewall can significantly decrease the vulnerability to successful attacks on your resources or information. But is the assumption of the compartmentalization of bad guys valid? Not if you look at history. The vast majority of known cases of network or computer security violations have been perpetrated by insiders. This makes a great deal of sense. Unless you are rather dumb and name the computer that has your corporate secrets in it "good-stuff-here", it can be quite hard for some outsider to know where to look. There are the mixed cases of an ex-insider being out there and still knowing the lay of the network, or an outsider with inside help. Putting in a firewall between you and the 'Net can help solve part of your network security problem but you must keep in mind that your biggest threat continues to be people with legitimate access to the local network, in other words - your own users.

I think there is a real threat introduced by the installation of a firewall. That is the threat of complacency. The feeling can become now that you have a firewall you no longer need to be worried about the here-to-fore normal security procedures--good passwords, installing security bug fixes promptly, verifying host configurations with programs such as COPS ( on cert.sei.cmu.edu in the directory pub/cops for anonymous ftp), not sharing accounts, keeping good logs, and having a specific security incident telephone hot line.

Firewalls can be very helpful, and you do not need to limit the use of firewalls to the one external Internet link. Firewalls can also be used internally, to protect sensitive subnets from internal prying eyes. But, be sure to remember that the major threat is still within the wall and an external firewall just better delineates what internal means. Good internal security procedures must be followed and, where it is needed, strengthened.

disclaimer: Harvard's experiences with firewalls goes back to the Revolutionary War days when Harvard Hall caught fire but the above are my cautions.