Spam: How safe is a hardware firewall?

[kim at bufferzone.dk (Kim Guldberg)]

Hi Robin

A hardware firewall is just as safe or unsafe as any other firewall, 
it's all in the configuration and setup, just one hole or 
misconfiguration and your are screwed. FortiGate is a well known brand 
and has an ok reputation.

Your servers are not necessarily ok. You write that you have opened the 
important ports which is plenty enough for a hacker if the systems 
behind the firewall are un patched or has exploitable vulnerabilities. 
You write nothing about how you filter outbound traffic. This is very 
important since the hacker has to be able to connect back out through 
your firewall. It's is ok to leave the firewall open from outside in, if 
the hacker cannot come back out. Of cause it's is more safe to block 
both incoming and outbound as efficiently as possible.

If you just look at your firewall, you will  never get a secure system. 
You need to look at all the levels and all the units from a security 
point of view.

Best regards

Kim Guldberg


Robin Kipp skrev:
> Hi guys,
> I hope this topic isn't to much off-topic since it isn't Metasploit 
> related... I just put a FortiGate hardware firewall between my server 
> and the internet. I left all the important ports (HTTP, SMTP, POP3 
> etc) open, but the traffic is always being checked by the firewall. 
> The firewall has thousands of attack definitions, virus signatures 
> etc... Do you think I can say that my server is safe behind the 
> firewall or are there always ways to hack the firewall and bypass it?
> Robin