If We Buy It, Will It Protect Us?
ICSA Labs reports that, an alarming number of firewalls arent functioning as intended.268 This is largely due to the people component in the firewall configuration process, rather than shortcomings in the firewalls themselves. Many firewalls are simply improperly installed or configured.
It appears that Tiny is getting out of the firewall business. Kerio and Tiny at one point appeared to be the same code base with different marketing. One of your authors has been both fooling around with a new version of Kerio and lurking on a newsgroup for the currently beta product269. Early indications are that the new Kerio is vastly more powerful, and in the current beta, equally more complex. Other users swear by the popular ZoneAlarm firewall.
So, it is important that staff is trained on proper firewall configuration and security techniques, and that firewall configurations and rules are documented. Again, security isnt a one-time action that is taken and then is over with. It is a process! A single setting can sometimes turn on (and thus, OFF) packet inspection, turning a firewall with a well-designed rule base into a box that blindly passes along every packet it sees.
In addition to regular audits of your firewall rules and configuration, and perhaps an occasional penetration test by staff (or a consulting group) using an outside Internet connection, what else can be done to maximize the security of a firewall? Check with your firewall vendor regularly to ensure that you are running the most up-to-date software, which is likely to be the most resistant to known vulnerabilities.
Follow popular mailing lists like BUGTRAQ, and Usenet newsgroups related to your firewall platform to keep up with potential issues. As with any network device, if the vendor has a security bulletins list, sign up for it and take the recommendations posted on it. For example, sometimes a vendor suggests temporarily disabling a feature until a patch for a security vulnerability involving it is tested and released. Ignore these (we know many people will, often based on, I dont have the time) at your own peril, and dont say you werent warned.
268. Firewalls FAQ, ICSA Labs, http://www.icsalabs.com/html/communities/firewalls/faqs/index.shtml, 2000.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.