NETWORKING

  • 06/17/2010
    10:30 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

Stupid Firewall Tricks

Firewalls have a bad reputation in many organizations, but it's not always the firewall's fault. Often, organizations use firewalls in places where they aren't really needed. For example, common practice dictates that we should place firewalls with stateful packet inspection enabled in front of Web servers. But does this really make any sense? Why perform stateful packet inspection on a stateless protocol? Why use a firewall in front of Web property when 99 percent of the requests are allowed?

Firewalls have a bad reputation in many organizations, but it's not always the firewall's fault. Often, organizations use firewalls in places where they aren't really needed. For example, common practice dictates that we should place firewalls with stateful packet inspection enabled in front of Web servers. But does this really make any sense? Why perform stateful packet inspection on a stateless protocol?  Why use a firewall in front of Web property when 99 percent of the requests are allowed? This only piles on another device that could fail, another device to add latency, and another device to architect around.

Most companies with a sizable Web presence use edge routers, firewalls and load balancers. I advocate removing the firewall in this configuration. Instead, apply an access control list to the edge router, configure the load balancer to reject direct traffic and ensure the management interface is only accessible from the internal side. Then let the traffic flow faster.

Ask any network admin at any large Web property and they will tell you this is how they have set up their network. So why haven't the rest of us? Why are we dealing with firewall performance issues and configuration nightmares where we don't need to? If you're worried about DDoS attacks, mitigate at the edge or upstream at the ISP. If you're worried about Web application vulnerabilities, use a purpose-built product

I don't advocate the removal of firewalls everywhere. They are still vital and can perform critical functions, such as VPN termination and application-level security or packet inspection, though we could and should question if the firewall is the best place to do either of these tasks. Firewalls should be placed between the external and internal and between the internal and the highly valuable. Use them where the majority of traffic should be blocked, not the other way around.

Placing a firewall where it isn't needed can give organizations a false sense of security, which can be just as bad as having no security at all. Unnecessary firewall deployments also create needless operational burdens and add to network complexity. IT and security teams can make their lives easier if they stop trying to make firewalls do stupid tricks.


Log in or Register to post comments