What a Firewall Cannot Do
It is important to realize that a firewall is a tool for enforcing a security policy. If all access between trusted and untrusted networks is not mediated by the firewall, or the firewall is enforcing an ineffective policy, the firewall is not going to provide any protection for your network. However, even a properly designed network with a properly configured firewall cannot protect you from the following dangers.
-
Malicious use of authorized services: A firewall cannot, for instance, prevent someone from using an authenticated Telnet session to compromise your internal machines or from tunneling an unauthorized protocol through another, authorized protocol.
-
Users not going through the firewall: A firewall can only restrict connections that go through it. It cannot protect you from people who can go around the firewall, for example, through a dial-up server behind the firewall. It also cannot prevent an internal intruder from hacking an internal system. To detect and thwart these kinds of threats, you may need a properly configured intrusion detection/prevention system.
-
Social engineering: If intruders can somehow obtain passwords they are not authorized to have or otherwise compromise authentication mechanisms through social engineering mechanisms, the firewall won't stop them. For example, a hacker could call your users pretending to be a system administrator and ask them for their passwords to "fix some problem."
-
Flaws in the host operating system: A firewall is only as secure as the operating system on which it is installed. There are many flaws present in operating systems that a firewall cannot protect against. This is why it is important to properly secure the operating system and apply the necessary security patches before you install the firewall and on a periodic basis thereafter. It also explains why "appliance" firewalls such as those provided by Nokia and NetScreen, which contain a purpose-built, hardened operating system, are becoming more popular.
-
All threats that may occur: Firewall designers often react to problems discovered by hackers, who are usually at least one step ahead of the firewall manufacturers.