Firewalls & Change Management

Having been through a fair number of firewall fiascos my self. I was a little leary when and org I work with wanted to put one in front of their servers to protect them. Just the expression firewall gives you a feeling of safety doesn't it? But security considerations have to go deeper than that. But more importantly the effect that the firewall is going to have on the systems and the network needs to be reviewed in monotonous detail ahead of time. Even then because humans are just human, you'll still find a few missing pieces that need to be corrected on the firewall config. You need to treat the dropping of a firewall on the net as a registered change to both the network and each system that sits behind it. If the systems are homogenous PC workstations then lucky you. You only have to dream up one set of rules test them in theory and then make the formal change. If you have a whole host of complicated server and don't know what homogony is then your task is much more complicated. For each server decide who can get to it and on what ports. Apply these rules until all the services you want works. A firewall is NOT a plug in bandaid with low time costs to high security payoff. Ironically enough the org with the firewall screwed up a whole bunch of services for people, and still managed to get a worm BEHIND the firewall that brought the network to it's knees one saturday.