Some Times a Firewall is Useful

1. To reduce exposure of vulnerable services on a host you can't patch because it is:
   • Certified by the FDA for only one particular revision of software;
   • Old and no longer supported by the vendor;
   • A device with code in ROM like a printer or terminal server;
   • Embedded in a device with a service contract where the service technician routinely wipes out any custom configuration.

2. While bringing up a new computer or a new service (even if you don't intend it to be firewalled in production).

   These days some vulnerabilities are so aggressively exploited that one can expect a vulnerable system to survive uncompromised for only a few minutes. The logical firewall can protect against being compromised before you get all the patches downloaded and applied.

3. To prevent the spread of worms and exploitation of back-doors.

   A firewall probably can't protect a webserver with unrestricted access from being compromised via a bug in its web-serving code (such as the infamous code-red worm exploits). But with good/tight firewall rules (no outbound web connections from your webserver), the firewall should prevent the subsequent spread of the worm and also block access to any back-doors the worm installs--preventing further damage and making cleanup a much simpler task.

4. As insurance against misconfigured hosts (defense in depth).

5. To explicitly block specific troublesome traffic.

6. To meet due-diligence security requirements.

7. To limit access to network-attached printers and devices.

See also Firewall Limitations and Initial Logical Firewall Experiences (at the bottom of the main page).

Corey Satten
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date -- Mon Jan 28 12:27:00 PST 2008