Full Text

Firewalls were developed in the late 198os to provide access control, authentication, and network traffic logs. If you worked with these early products, you likely remember how difficult they were to configure and use.

Contemporary firewall vendors focus on ease-of-use to capture greater market share-and there lies the crux of the problem. Where firewalls were originally designed as your first line of network defense, vendors have designed today's products with simple installation, configuration, and performance as the top goals. And while a modern firewall is easier to install and use, it is also more likely to be insecure.

A GUI PROBLEM

In a survey conducted by the Computer Security Institute (CSI, San Francisco) at the end of 1997, 30 percent of respondents reported Internet security breaches where a firewall was installed. Of these sites, 51 percent replied that the cause was a misconfigured firewall, and 41 percent cited product weakness as a contributor to the breach.

"The biggest problem today is that firewalls are reviewed as if they were end-user products instead of is security products," says Bill Stout, an independent security consultant. Firewall vendors quickly learned that products that were the easiest to install and set up gathered the largest market share.

"Some firewalls allow you to do things that actually make the firewall less secure," says Fred Avolio, an independent consultant and former product manager for Trusted Information Systems' (Rockville, MD) Gauntlet firewall (now owned by Network Associates).

Here's an example. I vividly remember when a reviews editor at a Unix magazine discovered the first firewall product with a Graphical User Interface (GUI) during a Networld+Interop show in Las Vegas. He was ecstatic. My own perspective was quite different. From a security point of view, the vendor had improved packet filtering by inventing something known as stateful packet filtering, which permitted the firewall to react dynamically to a handful of protocols that required additional ports to complete a transaction (such as FTP)

But it was the GuI that had the editor excited-and it was the GUI that was the problem. By pointing and clicking, a firewall manager could permit over a hundred different Internet services-most of which were terribly insecure and should never...