April 27, 2011

It's Behind a Firewall

Between my neighbor's house and mine is a firewall - an actual firewall, not a computer thing, but a wall that is designed to prevent fire from spreading from his house to mine. The wall is there to protect both of us from the cross-risk of someone having their house on fire. This is obvious by the name 'firewall'. The computer domain has taken the name of this engineering construct and uses it to describe a virtual wall used to protect one network from another. Unfortunately, it has become, to the uninitiated, a term that describes some kind of absolute security.

Just because there is a firewall between my neighbor's house and mine, I am still not free to set my house afire. I would still be liable for any damages this might cause my neighbor. Similarly, I would be remiss to install substandard electrical wiring, or (according to my HOA) have a barbecue grill that uses charcoal, rather than gas. Yet, in the parlance of computer networking, it has become vogue for some parties to address security concerns of cross-domain risk with 'It's behind a firewall, so there's no risk'. Even when the sentence is uttered without those last four words, they're usually contextually assumed.

This is just wrong. Just because you have a firewall does not mean that the system you're installing behind the firewall presents no potential risk to the Enterprise. Each and every system comes with built in risks, and not only are firewalls INTENTIONALLY porous, but they're only good at preventing very wide-ranging risk. They're of virtually no use when attacks come in through the holes you've punched in it, or when you bring the risks in with you around the side (through the back-end or through a sneaker net).

One of these days, someone is going to say 'No worries, it's behind a firewall' and I am going to physically pull out a lighter and set them on fire (ok, not really, but I'll think about it).

No comments: