Off-the-Shelf Security Solutions for Distributed Computing

by John Viega, Pravir Chandra, and J.T. Bloch

Although most organizations today have some sort of firewall protecting their resources, many companies treat the firewall as a "checkbox" -- they think just having one is good enough to keep intruders out. Unfortunately, such an approach is a gross oversimplification of a complex topic. For example, we know of many companies that take an off-the-shelf hardware firewall and plug it into a network without really understanding the technology. In one case, we came into a company two years after its firewall installation (performed by the company's system administration staff) to find that the firewall wasn't actually blocking traffic on the network. The administrators had plugged it into the network as though it were any other computer, so it did not stop traffic going to other computers in the office. This configuration meant the company had no firewall whatsoever for two years, despite an expenditure of nearly US $20,000. This is an extreme example of a firewall providing a false sense of security. However, firewalls often do provide a false sense of security because companies simply don't learn enough about the technology to understand the security issues.