Firewalls have a limited ability to examine incoming traffic. Don't put all your trust in a firewall's ability to keep out attackers. Use multiple lines of defence.
Until recently, when I imagined a firewall, I pictured, well... a wall, something essentially impassible. That's not to say that I thought of firewalls as the be-all and end-all of network security. There are usually plenty of opportunities to go over, under or around a wall. And while it's not technically impossible, breaking through a wall usually isn't feasible. For those reasons, I thought that firewalls provided almost "bulletproof" protection against a limited--but significant--class of attacks.
That changed earlier this year. As I sat in a crowded conference room, I watched a group of hackers waltz through the most popular firewall on the Internet--not once or twice, but more than 10 times during a two-and-a-half-hour presentation. Moreover, most of the attacks demonstrated could be modified and used against almost any firewall product currently available. I'd never seen a group of system administrators more impressed--and unnerved.
The demonstration touched on a wide range of vulnerabilities. Most firewalls are remotely administered and use cryptographic techniques to identify those who hold authorised access. So, a small error in an authentication protocol may be enough to allow an attacker to impersonate an administrator.
Firewalls have a limited ability to examine incoming traffic. An attack may be split up among several different data packets, for example, or an improperly implemented virtual private network may prevent the firewall from looking at key data.
What can you do? First, run--don't walk--to your machine and harden your firewall against these attacks. Consider the following safeguards: use the strongest authentication protocol available, preferably a Kerberos or PKI-based solution.
If your firewall doesn't support strong authentication, get a new firewall. If that isn't possible, consider disabling remote administration, whether it's a hassle or not.
Be absolutely certain your firewall's anti-spoofing protections are configured properly; forged source addresses for network traffic are present in many attacks. If your firewall doesn't have an anti-spoofing mechanism, get a new firewall.
Have your firewall enforce the most restrictive access rules your organisation can handle. Use a default "deny all" rule, allowing only those connections you explicitly designate.
Never use a rule that allows traffic from "any source" or to "any destination". Deny access to broadcast and multicast addresses. Although those steps can reduce risks and protect your sites, no firewall will ever be bulletproof. Don't put all your trust in a firewall's ability to keep out attackers--use multiple lines of defence. Consider using more than one firewall from different vendors. Install an intrusion-detection system, and harden every host.
Security must be built throughout your networks, not just at the perimeter.
