- The Methodical Approach and the Need for a Methodology
- Firewalls, Security, and Risk Management
- How to Think About Risk Management
- Computer Security Principles
- Firewall Recommendations and Definitions
- Why Do I Need a Firewall?
- Do I Need More Than a Firewall?
- What Kinds of Firewalls Are There?
- The Myth of "Trustworthy" or "Secure" Software
- Know Your Vulnerabilities
- Creating Security Policies
- Training
- Defense in Depth
- Summary
Firewalls, Security, and Risk Management
We believe it's important to discuss the topics of security and risk management, as they relate to firewalls, before we can jump into the process of troubleshooting. After all, your firewall problem might be something fundamental, as opposed to just a misconfiguration that's affecting your security in a very negative way. We strongly believe that you cannot manage a firewall without first thoroughly understanding risk management and computer security.
To begin, it's important to define what security is. Security is defined in some places as "freedom from risk." Some people would perceive this to mean "absence of risk," but we prefer to see it as freedom from its negative effects. The risk might still exist, but you are free to act (or not act) in spite of that risk. In some cases, you can even eliminate specific risks; in others you cannot but must still act with that risk looming, if you will, over your head. The bottom line is that you properly manage the risks around you so that you can reach a state of being "secure enough." That's what security really is. You can't make all the risks go awaythat's impossiblebut it doesn't stop people from trying to do it or simply telling themselves those risks don't exist. This is where the problem begins for too many organizations, but given that you are reading this book, you're already on your way to doing better. Learning to accept that risk is a part of life. You have to learn to manage the risks in your life to be "secure enough."
With that said, we are principally concerned with what is referred to as effective securitythat is, the effort undertaken to manage risk in a calculated, economically feasible and tolerable manner to achieve some goal or set of goals. In a more practical sense, it's useful to think of security as those actions you take to protect yourself from risks that are preventing you from taking certain other actions. To be more succinct, security is everything you do to make it possible to do the things you do.
For example, if you wanted to go for a ride in a car but were concerned with safety, you might wear your seatbelt. You might also want to know how to drive that car and that the weather conditions outside were good enough to make your trip as safe as you wanted it to be. Or you might be a risk taker and be perfectly happy jumping out of an airplane with nothing but altitude and a parachute between you and certain death. In both cases, you might feel totally "secure." For each person, the decisions you arrive at that tell you have achieved that state of "security" are different. They are each dependent on how much risk you are willing to accept and how much you can afford at that particular moment given the information at your disposal.
The bottom line with security is this: Security is not a set of products, technologies, patches, or anything else technical, written, or dictated. It's a process. Security doesn't exist in natureonly the process of becoming "secure enough." Security is about managing your risks and taking actions that allow you to move ahead without getting eaten. When designing your firewall, keep this in mind. You can't stop everything, but you can keep the risks within your range of acceptance.