Limitations of Firewalls - An Overview

You should not install a firewall and rest assured that your data is safe. There are several limitations of
firewalls. In the fourth article in the series, we discussed types of firewalls, stating that firewalls work
on the different layers of TCP/IP model of Internet and OSI model of corporate networks to secure your
computer and/or network. For even more protection, the article on types of firewalls said that there
should be some set of rules that helps offer further protection to your networks and computers.
However, creating a set of rules is different unless you have knowledge of ports. Some firewalls such
as the Comodo Internet Firewall (software firewall) make it easier to create custom rules.
For networks, it is important that all the computers are exposed to the outside world - other networks
or the Internet - ONLY through a single, strong firewall.
This means that you should designate one computer as main and use strong protection on it. You should
not let any computer within the network connect to the outer world on its own, without connecting to
the main computer first. In a client-server model, the main computer is the server. For smaller
networks, use an operating system that allows you to prevent users of other computers from creating
parallel connections to Internet (e.g. dial-up connections).
After all of the above practices, are you completely secure? The answer is a big NO. No matter how
much you try, there are some limitations of firewalls and people do try to make good use of them.
Still, you can configure your firewall(s) to reduce risk by "limiting" the "limitations of Firewalls."

Most Common Limitations of Firewalls

First and foremost among the limitations of firewalls is its architecture. You know that different types
of firewalls work at different levels of TCP/IP protocol or sometimes OSI model of networks. Most
firewalls work only at topmost layers of these Internet or Network models, thus offering lower security
levels.
For example, a firewall operating at Application Level of TCP/IP protocol will check the data pattern
and application signature to determine if the packet is safe. If it finds out that the application is present
in reputed programs (trusted programs list of your operating system, firewall, or previously allowed
application list) the firewall lets the data packet into the computer or network.
This is easy to exploit if any bot or hacker is observing the data packet patterns. It becomes easy for the
hacker to create fake packets containing "trusted source IP" to hack your computer/network.
You can overcome such limitations of firewalls by creating additional set of rules that compels the
firewall to scan the data packets in even more depth, maybe at a different network layer. However, you
need some expertise about the network models to create such rules.
Among second-most top limitations of firewalls is the configuration of a network. If the network is not
configured properly, the firewall can do nothing. If there is a lapse in network design, any firewall will
fail - no matter how much you spend on the network safety. This can be controlled by involving
experienced network designers and restricting access to other computers from installing a parallel
Internet connection such as a dial up connection. If anything needs to be installed, install it through the
main computer to overcome this limitation of firewall.
Finally, firewalls do NOT substitute your antivirus or antimalware. You need to install a good Internet
Security suite. If you cannot afford an Internet Suite, you can get one of the best antivirus and make
sure it is present on each of your computers - whether or not a network.
The traditional wide-area network (WAN) firewall makes two flawed assumptions. One assumption is
that the information contained in the first packet in a connection is sufficient to identify the
application. The second assumption is that the transmission control protocol (TCP) and user datagram
protocol (UDP) well-known port numbers are always used as intended. These are just two of the issues
that suggest that the traditional WAN firewall cannot effectively support the current environment. In
this session, the panelists will describe the limitations of the traditional WAN firewall, and identify
what functionality firewalls need to implement to overcome these limitations.

Tip: With routers and broadband modems offering firmware firewalls, you can use them as primary
firewall and then install ONLY one software firewall on computer to overcome limitations of firewalls.

Top 10 Firewall Limitations

Firewalls help protect your internal network from hackers. However, firewalls do have limitations. The
top 10 firewall limitations include:

1. Monitoring - firewalls restrict traffic but can’t notify you if someone has hacked into your network.
Many organizations need additional security monitoring tools.

2. Architecture - firewalls reflect the overall level of security in the network. An architecture that
depends upon one method of security or one security mechanism has a single point of failure and may
open the organization to intruders.

3. Viruses - there are many ways to encode files and transfer them over the Internet. Not all firewalls
offer protection against computer viruses.

4. Attacks - firewalls can’t protect against attacks that don’t go through the firewall. Your firewall may
restrict access from the Internet, but may not
protect your network from wireless and otheraccess to your systems.

5. Encryption - firewalls and Virtual Private Networks (VPNs) don't provide formalized solutions to
encrypt confidential documents and e-mail messages sent within your organization or to outside
business contacts.
6. Traffic – many firewalls are configured to restrict inbound traffic. Firewalls should also be
configured to restrict outbound traffic as well.

7. Masquerades - firewalls can't stop a hacker from masquerading as an employee. Hackers have a
number of ways to acquire user ids and passwords.

8. Policies - firewalls are not a replacement for strong security policies and procedures. An
organization's security is only as strong as its weakest link.

9. Employees - like a deadbolt lock on a front door, a firewall can’t tell you if there are other
vulnerabilities that allow your internal network to be compromised by a malicious employee.

10. Configuration – a firewall can't tell you if it has been incorrectly configured. Security audits
provide an independent verification that a firewall
has been correctly configured and is properly protecting you from Internet related threats.Your firewall
restricts access to your internal network. Unfortunately, it is an easy and attractive target for an attack.

For Mah Kido.