Of course, there are many so-called reformed hackers who are for
hire, but one thing is certain: The truly disturbed madmen aren’t for
hire. Developing a rock solid firewall then becomes less about fla-
vorful defense and more about where to build the cement bunker
(figuratively speaking; it has been shown that cement bunkers offer
very little, if any, added cyber security to a network firewall device.
A nice bracket and a solid server rack do just as nicely).
6.2 Unbreakable walls
Perhaps it was the products of the 1970s that liked to leverage the
concept of “unbreakable” that left consumers craving “unbreak-
able” things. However, everyone knows that if one of those
“unbreakable” hair combs bent far enough, it would break. Any
firewall appliance if not properly used, sited, or cared for will break.
If the firewall is physically situated in a heavy traffic area and it gets
bumped and falls off the shelf, it will most assuredly break. Much
like a breakwater is built to tolerate crashing waves but will collapse
if it is hit by a barge, a firewall can only be guaranteed to withstand
certain types of attacks—barge strikes not being one of them. It is up
to the administrator to understand the traffic patterns, the circum-
stances of the network mission.
The best way to prevent someone from breaking down a wall is to
hide it behind another wall. If the wall can’t be found, it can’t be
broken. Hands down, the most secure approach (and the most
unfeasible in many environments) is to create a redundant network—
one that pairs the LAN with an Internet-connected network. Each
network coexists side by side, but there is no physical connection.
The LAN would, actually, have no Internet connection or connec-
tion to other networks at all. It would be completely secure and,
barring the introduction of wireless elements, should remain indefi-
nitely secure. Realistically, larger organizations may have many
firewalls and many networks living on one large extranet, intranet,
or ouvrenet. An overlay-styled network, however, may have its
own set of problems since, in practice, such a network would
have an intrinsic inability to function properly as a communi-
cation tool. Aside from requiring that everyone (who needs
Internet access) have two computers, and aside from doubling
the equipment expense, the administrative efforts would also be
doubled. Movement of information within such a network would be
114 6.2 Unbreakable walls

Get Firewalls now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.