1. Add other services because users say they "need" them.
There should always be a clear business requirement for any new Internet service. Learn to separate "needs" from "wants." Even a seemingly benign service increases the administration load of a firewall while potentially adding another avenue of attack.
2. Concentrate on the firewall while ignoring other security measures.
Firewalls are not enough. Some organizations still have a security checklist that has the word "firewall" next to the word "security"—with a large checkmark next to it. Firewalls are part of the arsenal, not all of it.
3. Ignore the log files.
When the firewall was purchased, "good audit trails" was listed as a requirement. But if those logs are never read, they’re practically useless.
4. Turn off the warnings.
Alarms and warnings are there for a reason. By disabling them, you’re damaging the security perimeter of your network.
5. Allow users on the firewall system.
Firewalls should be as simple as possible. Users add complexity. Every user account is a potential avenue of attack. Every user is a potential attacker. Every keystroke of every user has the potential for opening a breach in the firewall through user error.
6. Allow a lot of people to administer the firewall.
Too many cooks can spoil the broth. The same goes for firewalls. Every sysadmin is a potential attacker—and an admin usually can do more damage than a user.
7. Two words: dial-in modems.
Every dial-in modem behind the firewall potentially circumvents the security perimeter. Every dial-in modem inside the firewall perimeter is a potentially unguarded entrance to the organization’s network.
8. Circumvent the firewall security and proper-use policy (i.e., prop the back door open).
The firewall must match the security policy. It must help implement the security policy. Making modifications to the firewall that don’t match the security policy could be disastrous.
9. Ignore the existing computer and network security policy.
If you have one, use it. If the firewall doesn’t seem to fit in it, then modify the policy. Then, support the revised policy with the firewall.
10. Don’t have a computer and network security policy.
Okay, so you don’t have one and you need a firewall anyway. Come up with a basic policy, implement it in the firewall, and then review, modify and expand it as time goes by. But without a set of rules, how will you ever make security decisions? Yes, by the seat of your pants, and under the pressure of users or an attack in progress. Better to do it now and have it before you need it.
© 1999 Information Security Magazine. Used with permission.
Information Security, the official publication of the ICSA, is dedicated to the needs of all security-conscious IT professionals. Free to qualified readers, Information Security features in-depth articles, product announcements and more analysis of information security issues than any other trade magazine. Subscribe today!