The Failure of Firewalls -- A Critical Look at an Information Security Panacea

23 MAR 1998 Rob Thomas

With the mad dash to go on-line, companies of all sizes and myriad industries have placed their corporate networks upon the Internet. Initially, this was done with no regard for the dangers of Internet connectivity. Networks were wide open to attack from any Internet-based fiend, and break-ins were common and generally undetected. Chaos loomed.

Then the firewall appeared, an outgrowth of the screening router (a router laced with ACLs) and other band-aid solutions. The corporate world breathed a sigh of relief. At last, everyone believed, the corporate networks would be safer -- protected against the Bad Guys "out there." And this part is true -- thanks to the modern firewall, networks are more protected against the Bad Guys on the Internet.

But the corporate networks are no safer. Perhaps they are in more danger than ever before.

Unfortunately, the firewall has become an information security panacea. Once installed, a firewall is believed to be the end-all and be-all of information security, protecting the corporate network from all evils. Although a fire- wall is certainly capable of protecting the perimeter, much like an armed Marine sentry standing guard, it can do very little about activity that originates and terminates WITHIN the corporate network. According to the 1997 FBI and CSI information security survey, an organization was twice as likely to be hacked from within than from without. The perimeter may very well be safe, but the inside is wholly unprotected. However, the installation of a firewall often gives a company a false sense of overall security. Yet the firewall may not protect against virii, internal hacks, poor password selection, etc.

It is no longer enough, then, to simply protect the perimeter. It never was. Label this problem the "crunchy on the outside, chewy in the middle" paradigm. And it has left trouble in its wake. The time for the perimeter security solution has passed; enter the end-to-end security solution -- security at all points, at all levels.

When architecting a corporate network security plan and the requisite policies, it is CRITICAL that the organization take an end-to-end view of the information security plan. Security is a journey, not a destination, and therefore is an on-going process that requires constant vigilance and adaptation. Here are some tips for a company that is beginning, or continuing, that journey:

These are but a few tips, but all stem from a common philosophy that information security is not about perimeter defense. It is not about technology. Rather, information security is really about protecting the corporation's proprietary data.

It is likely that your proprietary data is safe from outsiders. But is it safe from insiders?