I'm an not a fan of firewalls. In fact, I've run most of my systems without one for over a decade. Eventually, I did start to wonder if running a firewall might be worth the hassle of its upkeep; after all many networks run them by default, and your friends and family probably have a firewall running without them even knowing. In trying to decide whether I should do a firewall myself, I got a pros and cons list going and I thought I'd share it here. So here we go.
a. Filtering outbound traffic. As we discussed in the fighting spam article, filtering outbound traffic is great way to reduce server strain and vulnerabilities by preventing spamware from sending spam from your servers.
b. Application level firewalls, usually run on individual PCs, can protect against vulnerabilities found in applications.
c. You can use a firewall to wholesale block specific IP addresses or address ranges as well as ports, instead of having to check every application and PC toa make sure they're not listening on those ports or addresses.
d. If your users are not security-minded (shame them), firewall can provide a bit of insurance for your network by offering another line of defense.
e. Firewalls keep logs which can reveal insecurities in the network. You can cehck to see if users or clients are repeatedly trying to connect to the same port. Without a firewall, you'd have to go through each system log individually and cross reference them to see something like a vertical scan happening.
d. Some are bundled in anti-virus and anti-spam packages, which provide a pretty comprehensive defensive line.
e. Firewall can protect computers independant of local OS, software and configurations.
Well, so far so good. In summary, a firewall can be combined with other security measures to monitor and protect a network, while mitigating some issues like having inatentive users and differing system configurations.
The big hurdle here is the fact that firewalls aren't free. So let's look at what we'll have to put up with.
a. Price. Firewalls generally cos a subscribtion or a yearly fee. Better firewalls that can cover an entire network, and especially ones tied together with anti-virus software will drive that price up.
b. Users tend to take firewalls for granted, and when running one will often forget to maintain secure behavior as well as forgetting to update it regularly and monitor for unwanted processes. This can lead to a bloated firewall process that ends up not doing the job you put it there to do.
c. Another failure point. If the firewall fails, that's another program to have to reconfigure and deal with.
d. If you have a public facing system (like an online store or service), firewalls don't add anything since you'll be accepting all connection attempts.
e. Since firewalls can't see through encrypted packets, they won't have a function in a public system.
f. Firewalls are generally updated on slower intervals compared to OS's and other applications. Firewall devs will often just leave a product unpatched for a year or longer at a time. That's on top of the fact that updating firewalls often leads to network downtime, depending on the size of the network.
g. Finally, many firewalls are buggy, unintuitive and sap system resources. Picking a reliable one is hard, and even the best options tend to be problematic.
Having this list, it's still pretty tough to make a decision. The costs and hassle for a firewall is pretty high, so if you're going to run it on your network you'd have to make sure it's worth it. So when is it worth it? Likely, the larger your network, the more user connecting to it internally, and the fewer of them that you know personally, the more likely you should run a firewall. It just helps with scalability. Configuring or troubleshooting individual connections is time consuming and difficult. So it feels like a "damned if you do, damned if you don't" kind of situation. Your mileage will definitely vary.
Hopefully this has been helpful for you! If you have any comments, feel free to post them below or find us on Twitter and Facebook!
-Until next time!