delphij's Chaos


04 Jun 2004

A firewall to cut all useful connection, good job

Not sure how did the corporation has designed the firewall system, it is simply - bogous and useless, and is fragile by design. All the design’s function is to keep the network out of being functional, not to make it a bit safer.

The design of firewall system at my university has a promise of re-orgnaizing HTTP and FTP requests so the “protected” servers will not be under attack, however,

  • One can not depend on firewalls. A good practise is to defense in depth, not to rely on a single layer. Firewall will definatelly focus all risks on the firewall, without a in-depth defense, it will soon generate much bigger security risks.
  • Requests, when they are modified by a third party, and being “transparent”, will of course disturb normal requests. On certain situations, this is fatal. For example, a negotiation of TLS connection is likely to be broken by the “friendly filtering”.
  • Hardware based firewalls are hard to upgrade to pose new security risks. Nothing is guaranteed to be secure forever, not only Open Source, but also commercial products.
  • A firewall will decrease performance, while this is sometimes necessary, there is no chooses to override it.
  • It is silly to put servers behind firewall and connect them directly to the internal network without a DMZ design. It is more silly to block server connections without investigating first.
  • A firewalled network should be never considered “completely secure”. Nobody can predicate what will happen if a new vulnerablity is discovered, nor one can do defense beforehand.
  • “Complete and Total security solution” is always false promise. If it is ever possible, large companies, governments will never be target of attacks.

Nothing is trustable in a security vision, the more you limit, the less you can observe and this is the biggest security risk because you can not even have sense when you are under attack.

Promising a good tale is easy, realizing it is hard.