One way to view the result of a firewall being compromised is to look
at things in terms of what can be roughly termed as ``zones of risk.''
In the case of a network that is directly connected to the Internet
without any firewall, the entire network is subject to attack. This
does not imply that the network is vulnerable to attack, but in a
situation where an entire network is within reach of an untrusted
network, it is necessary to ensure the security of every single host on
that network. Practical experience shows that this is difficult, since
tools like rlogin that permit user-customizable access control are
often exploited by vandals to gain access to multiple hosts, in a form
of ``island hopping'' attack. In the case of any typical firewall, the
zone of risk is often reduced to the firewall itself, or a selected
subset of hosts on the network, significantly reducing the network
manager's concerns with respect to direct attack. If a firewall is
broken into, the zone of risk often expands again, to include the
entire protected network. A vandal gaining access to a login on the
firewall can begin an island hopping attack into the private network,
using it as a base. In this situation, there is still some hope, since
the vandal may leave traces on the firewall, and may be detected. If
the firewall is completely destroyed the private network can undergo
attack from any external system and reconstructing the course of an
attack becomes nearly impossible.
In general, firewalls can be viewed in terms of reducing the zone of risk to a single point of failure. In a sense, this seems like a bad idea, since it amounts to putting all of one's eggs in a single basket, but practical experience implies that at any given time, for a network of non-trivial size, there are at least a few hosts that are vulnerable to break-in by even an unskilled attacker. Many corporations have formal host security policies that are designed to address these weaknesses, but it is sheer foolishness to assume that publishing policies will suffice. A firewall enhances host security by funneling attackers through a narrow gap where there is a chance of catching or detecting them first. The well-constructed medieval castle had multiple walls and interlocking defense points for exactly the same reason.