A firewall is supposed to be a Good Thing, but I guess you haven’t heard anyone say ”Oh, I really love my firewall!” lately. Most people seem to hate firewalls. Just have a look at some of the write-ups here and you’ll see what I mean.

So why do people hate this thing that is supposed to protect them from all the bad people out there on the big, scary Internet? Because most firewalls are installed and configured in a way that causes a lot of problems without solving the ones the firewall was supposed to take care of in the first place.

Myth #1: “A firewall improves our network security”

Not true. A firewall in itself doesn’t improve your security any more than putting a “keep out”-sticker on your router. A properly installed, configured, maintained and monitored firewall can be an important part of network security, but it has to be fitted into an overall security policy.

This is a dangerous myth because it can lead to a false sense of security. I have seen several cases where a system has been “protected” by a firewall with a really good configuration, but where hacking attempts have been successful because the servers inside the firewall had security leaks.

Unfortunately, a lot of systems don’t even have a good configuration, just some version of the default configuration shipped with the software

My suggestion is to use firewalls to narrow down the exposed part of your system and to monitor traffic, but make sure that the systems behind the firewall have very tight security on the ports the firewall allows for external traffic.

Myth #2: “It is a good idea to block all outgoing traffic except HTTP and HTTPS

This is probably the main reason why people hate firewalls. When configured this way the firewall will block any attempt to run Napster, EverQuest or your favorite MUD client, but also “useful” stuff like FTP and some auto-updaters. So why is this a bad idea? Isn’t it good that you have a way to prevent people from playing games on company computers or downloading illegal copies of copyrighted material? Well, it might be, but that is a “political” policy decision and has nothing to do with security. “What about virus?” you might ask. Even if the firewall blocks all outgoing transactions, it will not help protect you against virus attacks in any way. Most “successful” viruses lately were spread through email, and those that aren’t can still be downloaded over http connections.

This policy is not only bad: it is counterproductive. Since the decision to block all outgoing transactions is an easy one it is usually made by inexperienced network administrators or by non-technical security staff, people who are notoriously difficult to argue with. No matter what good arguments a user comes up with to open up a port or a service, the answer is probably “no”, usually followed by “it is too difficult to monitor” or “it is company policy”. Clever users will learn this and open up their own channels to get whatever they want to do to work, without asking permission, and that is a real security problem.