Does a firewall actually make you secure?

Hi, This is probably going to sound like a silly question.
I have a  smoothwall firewall (just thought i'd say the name incase anyone knows of  any vulnerabilities) protecting the compaines network.

I have done an NMap stealth scan and I can see only 4 ports are open (22, 25, 110, 80), these forward to  services on the orange zone.

Also, we have a router/modem connected to the smoothwall box... the 4 ports have been forwarded to the  smoothwall box and I have manually created a filtering rules so that inbound traffic from: 0-21, 23-24, 26-79, 81-109 and 111-65535 is blocked.

Just for you  guys that dont know, with smoothwall you can have 2 seperate networks, 'green and 'orange'.. the green is protected by the firewall and the orange is a DMZ... which is used for serivces i.e. webserver... if a 'hacker' go into a service on the orange zone,  they shouldnt be able to talk to the green zone.

Now heres the question:

can a hacker can only connect to those 4 open ports and nothing else? so if I didnt have any oprts open there would be no way they can connect to anything of the companies and try to 'hack' into the network (especially being as there is a router infront)?

Also, one other thing.. as smoothwall is a linux based firewall, is it possible to 'hack' into it, if it dosnt have any ports open from the outside?

cheers for you info.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi dr_binks,

A sophiscated hacker can hack into a software firewall (and have done so in the past), but not a hardware firewall.  The router acts as a hardware firewall.  If the router is protecting open ports 22, 25, 110 and 80, then you do not have to worry.

well, I really don't think we can say that a sophisticated hacker cannot hack a hardware firewall...but it certainly is a start.

you will still have to keep on top of vulnerabilities and updates. Say if an SSH vulnerability is found (which certainly can happen) - then the hacker could exploit the system over port 22, and possibly take control of the fw (depending on the vulnerability). So, of course you aren't 100% safe (and none of us ever will be) but you do what you can to minimize the risk.

You still need to make sure that the system is properly configured, you use good passwords and encryption for the management accounts, and keep the system patched.

Are you allowing ports 25 and 80 in carte blanche, or only to certain hosts? You should really restrict things as much as possible. Also, are you blocking outbound access? I would recommend creating outbound rules that only allow the ports out that you want from the stations you want (#1 would be don't allow port 25 outbound from any system but your corporate email server - this will block email worms with their own embedded smtp engines)

Read both of these presentations:

Two different vendors, speaking the truth that once you open ports 80/TCP and 443/TCP, you've exposed yourself to a whole world of hurt, REGARDLESS of firewall manufacturer--Cisco PIX, SmoothWall, Check Point Firewall-1, etc.

To address your questions on SmoothWall, there are several exploits against SmoothWall.  Make sure you have the latest version.

On all firewalls, you should have a rule near the top of your rule base that specifies a "stealth" rule:
Src: ANY
Svc: ANY
Action: DENY

Unless there is a SmoothWall exploit AND no canned feature that is automatically enabled by the firewall program, you should be protected ON THE FIREWALL.

Again, the more important issue is what you've allowed through the firewall. Secure that. The firewall has been around since the early 90's and no one exploits the firewall itself anymore.

For example, Attack a firewall directly, you'll generate a ton of logs and raise concerns.
Attack a Web server using POST data and there's no logging. I've seen people go after SQL databases through a Web interface using IE pass the firewall (that allowed 443/TCP)....EXPLOIT, data captured, no logs on the Web server, and 443/TCP allow fine and dandy logs on the firewall (like nothing happened).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dr_binksAuthor Commented:
Thanks for the advice.
You are welcome!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.