Firewalls make the assumption that the only way in or out of acorporate network is through the firewalls; that there are no "backdoors" to your network. In practice, this is rarely the case,especially for a network which spans a large enterprise. Users maysetup their own backdoors, using modems, terminal servers, or use suchprograms as "PC Anywhere" so that they can work from home. Themore inconvenient a firewall is to your user community, the morelikely someone will set up their own "back door" channel to theirmachine, thus bypassing your firewall.
Related to this problem is the observation that in research oracademic communities (and sometimes in corporate environments aswell!), researchers, professors, or engineers may demand so manyexceptions to the firewall policy so that they can communicate withtheir collaborators at other research sites or universities that youmight as well not have the firewall.
Firewalls make the assumption that all of the bad guys are on theoutside of the firewall, and everyone on the inside of the can beconsidered trustworthy. This neglects the large number of corporatecomputer crimes which are committed by insiders.
Of course, in academic institutions, the assumption that the "badguys" are always on the outside is often laughable. We have oftenobserved that there's nothing quite so dangerous as a bored MITstudent.
This myth may also be restated as "Sticks and Stones may break mybones, but Word (tm) will never hurt me." Newly evolving systems areblurring the lines between data and executables more and more. Withthe advent of Word macros, Javascript, Java, and other formsexecutable fragments which can be embedded inside data, a securitymodel which neglects this will leave you wide open to a wide range ofattacks.
$Id: firewalls.html,v 1.8 2018/08/12 05:15:31 ghudson Exp $