Here is a quiz:
A firewall that is deployed in an environment with a single rule – "allow any" – and no NAT functionality makes your environment a) more secure; or b) less secure. (Bonus: why or why not?)
Extra credit question number 1: Does the label "firewall" increase, decrease, or make no difference to the security impact of a device with firewall-like functionality?
Total possible points is 110 because I know from my kids that schools operate on the 110 / 100 scale all the time now. Go figure. (Guess the schools must be unknowingly gaming the system, eh?)
(punctuation corrected – thanks, kraigus)
Okay, I’ll post my answers:
My first reaction was to say that the fireall (with a single “allow any” rule an no NAT) would still make the network more secure because it would provide some logging which might be useful as a detective control. But, assuming logging is a result of a rule, it appears there would be no logging (since there are no other rules). So, I’d say it would (c) have no impact on the security of the environment.
As to the extra credit question, I would say the label “firewall” makes no difference on the security impact of a device with firewall-like capabilities. Then again, a device that resolves to a network name of something like “firewall.victim.com” might scare some attackers away because they’d think victim.com must have some defenses in place if they have a firewall; at the same time, it might invite more aggressive attackers interested in the challenge of defeating the firewall.
Okay, how’d I do?
*First question:*
This device can lower your security, if either:
a) the users/operators assume that the network is now protected
b) the device has its own vulnerabilities, giving attackers a new potential launching pad.
I’m not sure you can assume ‘a’, if everyone knows that the device has no rules.
I’m not sure ‘b’ applies, either, if you say that vulnerabilities are only the result of rules. That’s probably not accurate, but we’re making up suppositions so why not?
*Bonus question:*
Well, “firewall” is merely a label that describes where you are going to make your stand. Could be the network, could be the host, could be the CPU, could be the hard drive.
But, as I said in ’1a’, if users/operators think “there’s a firewall” they could unfairly decrease their risk assessment of the local network.
a – if it’s one or the other, then it’s less. As others have said, you’re increasing your attack surface with no extra gain.
Extra credit 1 – makes no difference. Labels are meaningless; if your firewall protects people then it protects them, if it doesn’t, it doesn’t. People are going to do stupid things, regardless of whether or not they know they have a firewall.
Extra credit 2 – the schools your kids go to may not teach arithmetic like they used to, but how about the rules of punctuation?
No worries.
A firewall with a single “allow any” can increase the security if we assume that it is an stateful firewall and “allow any” means from internal network to external. Because there is not any other assumption , such as logging or Intrusion detection capability, we can say that from the internal network point of view, it is more secure. also we must notice that any firewall is a single point of failure, specially when working in router (non-transparent) mode.