The main crux of the firewall is prevent network traffic from reaching a destination based on a set of rules. Pretty simple. One side of the firewall is a trusted 'safe' area (normally known as the private network) and the other side of the firewall will be untrusted or the public network. Keeping the two separate makes sense and allows for greater control over network traffic and it's data. So firewalls are generally placed at the outer most part of the private network, often with a de-militarized-zone (DMZ) in between, which acts like a no-man's land where both public and private traffic can enter.
As security has gained focus over the last ten years or so, a few things altered. Security moved not only from focusing on potentially 'evil' public traffic and 'safe' private traffic, but to focus on keeping data secure from all sorts of angels. Insider threats. Proliferation of virus's and malware within the private network. Access control levels on data to improve confidentiality. Encryption to prevent eaves dropping and more secure storage to upkeep data integrity. This has lead to many different levels or 'rings' of security.
Firewalls on the outer-most part of the private network, intrusion detection and prevention systems, localised patch and virus management on individual machines, authentication and authorisation to restrict access and security policies and procedures to manage networks and data effectively. All part of a complex ring of security.
The term 'ring of security' was used mainly when discussing operating system processing. The rings simply provide levels of process authorisation to keep potentially unsafe operations affecting the core kernel of the OS. Gates between the rings allowed processes to be managed through neatly defined routes. Today, it can also reference the general security approach for an organisation.
Security, can and should cover a multitude of technologies and processes. I guess this can be exemplified by the the number and variation of topics within many security qualifications such as the CISSP or CISA.
One of the key angels of security management I think is often missed is that of physical and indeed human security. All very well having 128 bit encryption on your hard disk, but if your laptop is left unattended in a meeting room without swipe card access it's not particularly secure is it?
There are many common security pitfalls that are created by people, not tooling:
- Security badged not been warn / checked. Why do you have one round your neck?
- Tail-gating - how many times have you held a proximity swipe door open for someone....
- Shared desktops - colleague 'just needs to check something' or check their email.
- Not logging out. Turning the monitor off isn't quite the same.
- Everyone knows a story about passwords. Weak and easy to break. Under the coffee mat. Recycled with a new number on the end...
- USB sticks / netbooks / portable drives, left unaccompanied.
- Printed documents not cleared down from printers - clear desk policy.
- Water cooler chat - social engineering for information, processes, passwords, locations is easier than you think.
All of which can easily be managed and avoided by first the definition of some basic security best practice and secondly through internal awareness and 'marketing'. Making non-IT users aware of the importance of data security is key and how it not only affects the IT geeks, but the actual profitability, usefulness and general success of business units. Awareness should also be followed up by readily available security resources - consistent internal documentation is a start - training, websites and updates is ideal.
The concept of using humans as firewalls is not new, but technology can only protect data so far. Human intervention and judgement is now just as important as security moves into the main stream of effective business management.
You wouldn't trust your car to drive itself, so why let only technology look after your data?