"Philip R. Moyer" <prm @
# I would like to make an observation and hear people's suggestions for
# addressing the problem.
# The observation is this: Firewalls encourage professional laziness.
Oh, jeez, can't we discuss something technical and non-controversial
for a while? :-)
# We all know how site security is supposed to work. You build good host
# security. You set a site security policy. You educate your users. You
# build a firewall to keep out the external attackers. You monitor the
# security state of your network on a daily basis. More or less, that's how
# it's supposed to be done.
That is one model of security. Another model, favored especially by
development organizations, is that internal security should not get in
the way of development. Now, it's _possible_ to make good internal
security transparent to users, but it takes a lot of work and constant
attention (you're forever updating /etc/groups and cleaning up
permission botches, for instance).
# In my experience, however, this is *not* what happens. The site administrators
# and managers discover, or are shown, that they have lax security. Rather
# than expend the effort to develop a security policy, tighten host security,
# and educate users, many systems administrators and IT people will skip
# those steps and proceed directly to the "get a firewall" stage. They believe
# a firewall will save them from security incidents.
# I contend that this is professional laziness, as well as being quite
I disagree, for two reasons. First, not all sites believe in the
security model discussed above. Second, and more important, almost
all sites have limited resources. Given limited time to devote to the
problem, what gives the most bang for the buck: a security policy,
individual host security, user education, or a firewall?
In my opinion, for most sites, the answer is "a firewall".
A security policy is an extremely useful item, and I highly encourage
all sites to have an explicit one (all sites have one; the question is
whether it's explicit or not). Without any technology to back it up,
however, a security policy is about worth the paper it's printed on.
User education is an important and on-going process. All the user
education in the world isn't going to help you, though, if you don't
apply some of it to closing security holes.
Host security takes a _lot_ of work, particularly when you're dealing
with machines from dozens of vendors, running dozens of releases of
dozens of different operating systems, administered by dozens of
different groups. Further, a slip-up that allows any one of these
machines to be broken into seriously undermines the security of all
the rest, because of trust (following .rhost chains and so forth) and
because most of these machines are on Ethernet (making it trivial to
snoop for passwords).
A firewall is a way to address a large class of security problems. It
is by no means a way to address _all_ security problems.
# A large percentage of security incidents are *internal* attacks. These
# lazy administrators, therefore, spend money addressing a small segment of
# their real security vulnerabilities. These sites also tend to resist the
# concept of firewalls between internal networks; after all, they *trust*
# their users.
And that's their prerogative. You and I may not agree with it, but
it's not our site or our problem.
Brent Chapman | Great Circle Associates | Call or email for info about
COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates