Consequently, a firewall is only as effective as the firewall security policy (as opposed to the enterprise security policy) that dictates how the firewall will be used | Security Policies As mentioned previously firewalls are nothing more than access control policy enforcement points. Consequently a firewall is only as effective as the firewall security policy as opposed to the enterprise security policy that dictates how the firewall will be used. Firewall security policies are discussed in great detail in Chapter 10 Firewall Security Policies but we can look at the fundamentals of what kinds of firewall security policies exist and how to build an effective security policy now. The first step to a good security policy is to perform a risk analysis to determine what the threats to the protected system are. After doing this you can develop a strategy and policy for protecting the system from those threats with your firewalls. A key thing to understand when you develop this strategy is that you may not be able to protect against or prevent everything. The reasons for this range from technological limitations technically the recommendation cannot be done to practical limitations it would not be practical to undertake the recommendation to financial limitations you do not have the money in the budget to undertake the recommendation . As a result you need to approach the subject from the perspective of seeking to minimize the risk associated with the threat. In some cases that means you can reduce the risk to zero for example if you use a firewall to prevent all access to a system . In other cases you can only reduce the risk to a level that is acceptable by management. For example management may not decide that they can afford to spend the money required to implement the security solution recommended. In this instance it is absolutely critical to convey in an honest and accurate manner what the level of risk will be. The reason for this is that after an incident occurs it becomes real convenient for people to suddenly forget that they agreed to that level of risk in the first place. This is the time that it comes in handy to be able to