Friday, January 16, 2009

A firewall is not a security device

If you want to filter things intelligently, you are doing security.
If you review your filtering policies regularly, you are doing security.

But a simple firewall, which typically drops packets going to some ports, is no security device. It's just part of shaping the network. It deals with the normal use of the network, it doesn't help with the following:
  • Confidentiality: think of all the opportunities to sidestep a firewall... The tunnels, the vulnerabilities in the servers and, of course, the HTTP traffic itself which is the biggest threat to confidentiality.
  • Integrity.
  • Availability: it will not help you against DoS attacks, nor against hardware failures...
The firewall is a part of the architecture, allowing to say to the normal users that they are not supposed to use instant messaging, or SSH, or FTP, but it does nothing against an attacker. A firewall is not a security device.