The recent Nimda virus caused untold damage to companies throughout the world. IT administrators spent days disinfecting and patching infected systems, as well as belatedly applying current security patches to systems running Microsoft's Internet Information Server software. Nimda did an incredibly thorough job of finding systems running IIS, even if those systems weren't really Web servers.
One lesson this episode taught us is to keep security patches up to date - even if your system is behind a firewall. The tens of thousands of systems that were compromised by Nimda were hit because their administrators had incorrectly assumed that, because the systems were behind a firewall, they didn't have to be as vigilant about security.
Nimda propagated in many ways, but one of its primary starting places was e-mail that contained a Trojan horse file. Everyone in IT has tried valiantly to convince users not to run programs of unknown origin, and everyone in IT knows that such requests often fall on deaf ears. There was no reason for any user to run the Nimda Trojan horse, but they did, and the program immediately searched for (and often found) unprotected systems running IIS. As many people discovered, IIS runs by default on many systems that are not being used as traditional Web servers.
The name "firewall" is an overstatement. Firewalls are really content filters, not walls. Many attacks can be stopped by well-administered firewalls, but as Nimda and others have shown, well-planned attacks can get around firewalls very easily. Face it: Dangerous e-mail (and often dangerous Web content) gets through firewalls. If you don't keep every system behind your firewall as secure as those systems outside your firewall, you are opening yourself up to attacks started by unwitting users.
The Nimda attack had an unintended consequence that should reinforce the need for securing everything, even systems behind a firewall. Systems running IIS were not the only ones affected; some products with interfaces that use the HTTP port stopped working when probed by Nimda. Many devices such as print servers and VPNs have Web-based administrative interfaces. Some of these simply froze when barraged with the probes from Nimda-infected systems.
There are many reasons not to trust firewalls to the point where you don't fortify all the hosts on your network. First and foremost, good attackers know that firewalls are common, so they come up with methods to get through the firewall. Second, many attacks are meant to be short-lived, so updating a firewall's policy might stop a new attack but only after many hours. As Nimda showed, this is probably enough time to do a lot of damage. Third, it is not safe to assume that the firewall administrator fully understands the interface of the firewall product you use or that the interface completely matches the firewall's policy.