To some extent, your observations are correct -- firewalls can
lead to weaker internal security. But there are other issues as
First, you say that
A large percentage of security incidents are *internal*
attacks. These lazy administrators, therefore, spend money
addressing a small segment of their real security
It is far from clear to me that this statement is true!
It is frequently claimed that 95% of security problems are inside jobs.
But that figure is old, misleading, and (arguably) inapplicable to
today's environment. I discussed the numbers with Peter Neumann
during the research for the Firewalls book. He pointed out that very
many of the sites surveyed when that number was first published
were banks with closed networks. So -- if your
network doesn't go to anywhere outside, it's not a surprise that
most of your attacks are inside jobs. In today's environment, with
interconnected networks in general, and the Internet in particular,
there is much more exposure to the outside. Neumann believes -- and
I agree -- that the percentage of inside jobs is much lower than is
The second point is that firewalls are not used solely as a guard
against bad systems administration. Rather, they're used to shift
the odds. If most software is buggy -- and I believe that that is
the case -- then the less of it you run on an exposed machine, the
less likely you are to be victimized by it. Consider the current
``new'' security problem -- the nfsbug program that's been widely
discussed and cited on a variety of mailing lists. I don't run NFS
on a gateway machine (and I'd hope that no one on this list does),
which means that at that level, I don't have to care about the hole.
Not that folks should tolerate its existence internally -- but we
have a bit of time to upgrade. Absolute protection? No, there's
no such thing. But it helps.