Snow White And Seven Firewalls

Submitted by alla on Sat, 12/12/2009 - 14:01

A soon to be former colleague of mine, Axel, once mentioned a conversation he had with a security officer at a customer site. Axel was describing an attack against their web application from the Internet. The guy said:

"No, it is not possible. There are seven firewalls between the Internet and the application. You can't get an exploit through that."

A lot of people seem to work under impression that firewalls are like magic charms. They make you safer just because you have them, and the more you've got, the better.

Very little additional security is actually obtained by chaining firewalls. There is a common superstition that you should have at least two firewalls by different vendors, one after another. The reasoning behind it is that if there is a bug in one of the firewalls, the other would not have it, so at least one of them will be still doing its job. Superficially, it makes some sense. But, if you think about it, there were extremely few vulnerabilities that allowed compromising a firewall. On the other hand, having to keep two rulesets in sync adds considerable additional burden to firewall management, an effort perhaps better spent elsewhere.

Why is this post called Snow White And Seven Firewalls and not Axel And Seven Firewalls? I just thought it sounds better this way. I am not implying that Axel is in any way like Snow White (unless, of course, he'd like to be, in which case, he is very much like Snow White)


+32 (0) 2 215 53 58

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
VAT: BE 0821.897.133.