/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/media_files/2025/09/26/vnd-banner-2025-09-26-11-20-57.jpg)
Can a firewall alone prevent hacking?
No, firewalls can’t protect against attacks that don’t go through the
firewall. While an intruder wants to export information through your firewall,
he’s just as likely to export it through a telephone, fax machine, or floppy
disk. Lastly, firewalls can’t protect against tunneling over most application
protocols to trojaned or poorly written clients. For a firewall to work
efficiently, it must be part of a consistent overall organizational security
architecture. Firewall policies must be realistic and reflect the level of
security in the entire network. Security is not a one-time activity and involves
periodic management.
Why do I have to make an intrusion detection system (IDS) to re-configure
the firewall?
IDS can prevent only TCP-based attacks. In order to safeguard your network
from UDP-based attacks, the IDS by itself is impotent. IDS can be configured to
work together with firewall in such a way that, in case of an UDP-based attack,
IDS can push a policy to the firewall to block any packets from that source
launching the attack.
What are the criteria to choose a firewall for your network?
(1) What you are trying to protect from (2) Traffic flow to and from the
Internet (3) Your Internet bandwidth (4) How critical is Internet connectivity
to your business (5) How essential is high availability of the Internet to your
business.
Can a firewall itself be compromised?
No, a firewall with a properly defined security policy cannot be hacked. To
prevent attackers compromising the firewall, you implement what is generally
called as a stealth policy. This prevents all connections made to the firewall.
Does introducing a firewall degrade your network throughput?
On higher end systems and appliances, the latency introduced by the
firewall in not going to be a bottleneck for your network performance.
How do load-balancing firewalls work?
Load-balancing firewalls run specialized software/programs that check for
load in all firewalls and distribute the traffic to a least loaded firewall. All
firewalls work in sync. In case a firewall in the cluster fails, the traffic
that was flowing through that firewall is distributed to other firewalls
transparently.
Does a firewall pass multicast/broadcast packets?
Firewall doesn’t take routing decisions. That task is taken care of by
the OS over which it resides. The role of the firewall in multicast/broadcast
routing is no different from its role in other traffic routing.
Can I have a content screening at the firewall level?
Primarily, firewalls are not designed for analyzing the content inside the
packet. But modern-day firewalls extend you an option to filter/block packets
that can carry a malicious code like applets, scripts and certain file
extensions.
Is a firewall appliance’s performance better than a
software-based firewall ?
Not necessarily. A lot depends on what goes into the hardware architecture
of both types of firewalls. After all, both use microprocessors as their core
processing device. So a software firewall with high-end hardware can give you
the performance needed for your network.
Will a Gbps-firewall always give me better performance
throughput?
A Gbps-firewall is one having a kernel that processes packets at gigabit
speed. This performance throughput can be achieved only when you pump in and
pump out packets at gigabit speed. Actually, putting a Gbps-firewall will not
provide you gigabit throughput unless all the links to your network are gigabit.
Does a firewall protect from virus attacks/worms?
Firewalls can’t protect very well against viruses. They cannot protect
against a data-driven attack–attacks in which something is mailed or copied to
an internal host, where it is executed. A strong firewall is never a substitute
for sensible software that recognizes the nature of what it’s handling–untrusted
data from an unauthenticated party.
What is a connection table?
Connection table is a dynamic table in which the firewalls maintain the
information regarding traffic flowing in and out of your network. It has
information about the characteristics of all the packets. (source address,
destination address, source port, destination port, translated address,
translated port, etc.). A firewall verifies the connection table before checking
the security policy.
Can I have a firewall to manage link redundancy?
Most of the firewalls in the market leave the packet routing decision to
the underlying OS. So they can’t perform a dynamic routing based on
availability of the links. Of late, a few vendors have come with firewalls that
take care of link redundancy also. But the practical feasibilities are yet to be
seen.
Does a two-tiered firewall architecture provide increased
protection?
No, essentially a two-tiered architecture doesn’t provide increased
protection to the network as compared to the single-tier architecture. A
two-tiered firewall can be ideal in case the number of network segments to be
protected are more. This helps one distribute the load on firewalls even tough
managing the security policy will be difficult.
Will VPN devices make firewalls obsolete?
VPN solves two problems–integrity and privacy of the information flowing
between hosts. Neither of these problems is what firewalls were created to
solve. Although firewalls can help mitigate some of the risks present on the
Internet without authentication or encryption, there are really two classes of
problems here: integrity and privacy of the information flowing between hosts
and the limits placed on the kind of connectivity between different networks.
VPN addresses the former class and firewalls the latter. This means that one
will not eliminate the need for the other, but instead create some interesting
possibilities of combining firewalls with VPN enabled hosts.
S Shankara Narayanan
Head of consulting practice, Ramco System