Firewalls Part 1
I've worked with firewalls and various network filtering devices for a long time. It's still a fairly popular area of development but as it has matured it has stayed fairly primitive. There are a lot of reasons for that and I think that discussion is less constructive than talking about how I think it should be done and the various pitfalls.
For starters, I don't know if you've ever "inherited" a firewall or had to get one changed in a midsized corporation. They tend to grow and never really shrink and after a while they take on this state where you're almost afraid to shrink them because you don't know the history. Further, as the corporation grows in size and starts to take security more seriously you'll have to go through a process to actually change a firewall and it will take approval from people that probably don't care about what you need to accomplish that requires a change in the first place and they might not even know (or care as can be in some IT groups) what it is that is really needing protection in the first place.
Firewalls tend to get treated as static entities which is pretty good but the internet and networks in general are fairly dynamic, good rules now might not be good rules tomorrow. If your organization is in to the more static style of thinking, change control your firewall. Put it in to clearcase, subversion or whatever you use and put detailed comments in when you change a configuration.
Also incorrectly built firewalls can be slow and inefficient. I know of a place that had a traffic shaper and Pix and their firewall became so complex that when you removed the traffic shaper the Pix became overloaded and in effect the traffic shaping device became and integral part of their security system which makes the whole network that much more complex. They were using tools incorrectly which also makes it more likely that the tool won't do some task that they may need in the future and ultimately it restricts the things you can do with the traffic shaper and firewall so that if there is ever a need to quickly change something you have to be more careful because that change may end up breaking the interaction between the firewall and traffic shaper that allows them both to work.
