Altaware, Inc. | Enterprise Networking & Security Solutions

Article - Why do I need more than a firewall?


We have this discussion quite often, though I have to admit no where near often enough! People still think all that’s required to secure a network is a firewall. Forgetting the discussion about making sure it’s configured properly and reviewed, it really doesn’t do enough. Don’t even get me started on what is a perimeter or edge in reality today.

We have to look at the problem in terms of ingress or egress of traffic. Are we protecting users and our corporate networks from threats being downloaded by users either intentionally or inadvertently and separately are we protecting our public corporate servers (e.g. web) from either defacement or leakage of sensitive data?

Lets first look at some analogies. One that I particularly like and read about in Network World is imagining a slice of swiss cheese, it has a lot of wholes in it, but if you layer numerous slices, the wholes all get covered up while at any single layer, there are still holes to allow passage.

One of my own favorite analogies that I created and use is to imagine a sewage filtration plant. All those years of watching Discovery channel Dirtiest Jobs have paid off, but it’s really a good analogy.

At a sewage treatmant plant, the problem is in dealing with unsafe and unclear water that ultimately has to be made clean. Just like the data our users are bringing down into our networks or feeding into our corporate servers. We have similar challenges:
  1. Our networks are fed cr_p (bad data) all day long coming down our pipes
  2. We realistically can’t stop it at the source
  3. We can’t throttle the rate it’s coming to us, short of the pipe sizes we have to deal with what’s coming our way right now
  4. However, unlike the filtration system, we don’t have ponds to hold and deal with it over a period of time, we have network buffers and latencies, that’s it. We must immediately make it clean and safe or discard it.
  5. We can’t possibly use our finest most granular filtering devices on this on the first pass. There is no one size fits all, cleans all filter.

It’s the last point that really matters in our world. Just like a filtration system has to first check and remove solids and then apply finer and finer filtering and ultimately cleans what is leftover until it’s clean, so do we... Think of a firewall as that first pass solids remover. Its whole purpose is to sift out that which we cannot and do not wish to scan. The firewall or edge device must deal with the “surge” problems, things like DoS (Denial of Service) attacks. It’s that first slice of Swiss Cheese. It needs fast data rates and big holes to allow data through, but it isn’t cleansed after passing through.

We then have to use additional layers to provide further inspection.

In the case of outbound Internet traffic (typically users), we might want to:
  • Check for outgoing SPAM
  • Check for outgoing viruses / malware
  • Make sure the target site is “approved” (no porn, hate crimes, etc.)
  • Make sure the application transporting the data is “approved” (e.g. SKYPE, IM, P2P, etc.)
  • Make sure the user isn’t leaking out sensitive data via whatever communication channel (not just authorized or conventional)
  • Look for the actual user (not device address) that initiated the request
  • Track and store the entire transaction for subsequent review or analysis
  • Our actions might include logging, blocking, alerting or quarantining for approval

In the case of inbound traffic going to a server (web, Email, application, etc.), we might want to:
  • Check for SPAM
  • Check for DoS type of attacks
  • Check for viruses / worms / malware
  • Look for specific web / application attacks (e.g. SQL injection, Cross Site Scripting, etc.)
  • Look for various attack patterns or signatures trying to obtain unauthorized access
  • Look for network anomalies based upon baselines or trends
  • Look for various reconnaissance techniques
  • Look for exploits being applied
  • Track and store the entire transaction for subsequent review or analysis
  • Enable dynamic settings to temporarily block the attacker, without creating a service denial for legitimate users
  • Correlate various events and/or incidents
  • Deploy honeypots to act as alert beacons

This is all without even considering that the various access methods we have might include wired and wireless and may include various connections for VPNs, remote users, etc.

So, that’s why a firewall might not be enough. I think we all understand that we can’t dump sewage into the ocean just by skimming for solids, so why would we dump data into our networks that only a firewall has scanned?

Author: Werner Schmidt, CISSP
Date: January 2009

Read the rest of the articles. Please contact us for more information!

Page copy protected against web site content infringement by Copyscape
Altaware > Info > Articles > Article - Why do I need more than just a firewall? > 
Altaware, Inc. is a technically based value added reseller (VAR), retailer and systems integrator of enterprise networking, security and IP telephony solutions.
Proudly serving (SoCal) Southern California: Orange County, Los Angeles County, San Diego County, Riverside County, San Bernardino County, and Ventura County.
866-833-4070
CA SB certified, CAGE code, CAL-Card, U.S. Federal CCR, ORCA, eVerify, E-Rate SPIN
© 1999-2010 Altaware, Inc. All rights reserved. Contact Us