We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Intelligent Machines

Firewall Follies

The complacency firewalls breed is ultimately more damaging than the computer pirates they keep out.

Do you use the Internet at work? I see lots of hands. You may not realize it, but your access to the Net is most likely mediated by some kind of firewall. Companies are spending thousands, even hundreds of thousands, of dollars on these systems-and trust them to protect their networks from snoopers and intruders.

That’s a problem, because firewalls often provide a mere illusion of protection. They don’t make business systems significantly more secure. And by focusing attention on defending the perimeter, rather than on defending information assets within an organization, firewalls foster lax internal security practices that magnify the damage that insiders can inflict.

What firewalls do accomplish, however, is this: they make the Internet more cumbersome to use. I recently visited a friend’s firm in New York and wanted to check my e-mail, so I plugged my laptop into a network jack in an unused office. Access denied: my PC wasn’t set up to work with the company’s firewall. So instead of reading my e-mail, I occupied myself by sniffing the traffic on the office network and probing for a way out. (Had I been inclined, I could have read everybody else’s e-mail-or done real damage.)

This story is part of our September 2002 Issue
See the rest of the issue

Firewalls are simple in concept. A typical firewall consists of a special-purpose computer that has two network plugs. One plug goes to the Internet; the other connects to a company’s office network. The firewall is programmed with rules that determine what traffic is allowed to pass and what is to be blocked. For example, a firewall might be set up to allow managers in human resources to browse the Internet, or to access their desktop PCs from home, while permitting people in the corporate call center only to access their e-mail. The better firewalls log everything that moves across the boundary, giving companies a powerful tool for auditing online activity.

The great appeal of firewalls is that they are supposed to ease the job of corporate security. Instead of feverishly downloading and installing security patches to protect thousands of desktop computers and servers running a menagerie of operating systems, many organizations find it easier to simply trust the firewall to keep the bad guys out. The problem with this approach: bad guys are everywhere. Sure, some are on the outside of the company’s network. But there are corrupt employees on the inside, too. And even well-meaning workers can have laptops that contract viruses during business trips-viruses that then infect the office network. This is why so many companies supposedly fortified with firewalls succumbed to attacks from computer viruses and worms like Nimda and Code Red.

The existence of firewalls has also allowed companies to neglect their internal security measures and to accept lower-quality software from their vendors. Instead of hardening their systems, many vendors now advise their customers to install their equipment “behind the firewall.” This has long been standard practice for software suppliers delivering systems based on Microsoft Windows. Now it is becoming common for network-based management systems that are showing up in things like photocopiers, HVAC equipment and even elevators.

Organizations that rely on their firewalls build networks with hard, crunchy outsides but soft, creamy insides. Even worse, an elaborate, expensive firewall diverts dollars and attention from other measures that truly can improve security: good backups, pervasive encryption and employee background checks, for example. My friend’s company should have turned off the Ethernet jack in that unused office-or I should have triggered an alarm when I tried to use it.

Firewalls also become less secure over time, a phenomenon observed by computer consultant Dan Farmer. Here’s what typically happens: Somebody inside an organization needs to send some sort of information through the firewall-perhaps because the company is involved in a joint project with another firm. To allow this transfer, a supposedly temporary hole is opened in the firewall. But that hole invariably remains in place long after it is no longer needed. After a few years, the typical firewall comes to resemble Swiss cheese.

Confusingly, there is one kind of firewall that actually can dramatically improve security. These so-called host-based firewalls are a second layer of security that mediates all communications between your desktop computer and the rest of the network. A good host-based firewall will warn you, for example, that the program you just downloaded is trying to open a connection to a pirate Web server in Russia; you can then choose to either allow the connection to go through or terminate it. Both Microsoft and Apple have primitive host-based firewalls built into the current generations of their consumer operating systems.

I’m certainly not advocating that businesses do away with their firewalls; many Microsoft operating systems are so vulnerable that there is no other practical way to protect them. But we need to build a new security paradigm. The core principle should be an assumption that every network is already compromised; systems should be designed accordingly. In practical terms, this means encrypting all information that passes over the network and equipping every computer with its own host-based firewall. This kind of belts-and-suspenders redundancy is not particularly elegant, but then again, neither is an armored car.

Learn from the humans leading the way in intelligent machines at EmTech Next. Register Today!
June 11-12, 2019
Cambridge, MA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Print + All Access Digital.
  • Print + All Access Digital {! insider.prices.print_digital !}*

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivery each weekday to your inbox

    The MIT Technology Review App

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.