Part of the issue is that a firewall doesn't actually do much to
help a properly secured host and they just makes applications harder
to develop as they need to start punching holes in multiple firewalls.
It just drops a little traffic which would otherwise be rejected
immediately or dropped after timeout by the host.
Additionally firewall developer do not keep up to date with protocol
changes (how many firewalls, 15 years after EDNS was developed,
still think that DNS/UDP packets are 512 bytes). They are often
used to incorrectly to block legitimate traffic (icmp PTB, fragments)
associated with "wanted" flows.
They are themselves a attackable DoS point due to table exhaustion.
They also don't encourage other manufactures to take security of
their products into proper consideration. Just because they are
inside a "firewall" doesn't mean that they are in a safe environment
yet that is the attitude some manufactures seem to take.
Also once the application punches holes in the firewall may as not
be there as the service is exposed.
What I do want to see in a firewall is outbound BCP38 style filters
by default. Hosts will get compromised with or without a firewall.
They will emit spoofed traffic. Most NAT boxes are pretty good at
turning spoofed traffic into legitimately sourced traffic when it
appears on the Internet.
Firewalls should be protecting the Internet from the home as they
don't do much to protect the home from the Internet.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org