If an intruder can find a hole in your firewall, then the firewall has failed. There are no in-between states. Once a hacker is in, your internal network is at her mercy. If she hijacks an administrative account, you're in big trouble. If she hijacks an account with lesser privileges, all the resources available to that account are at risk.
No firewall can protect against inadequate or mismanaged policies. If a password gets out because a user did not properly protect it, your security is at risk. If an internal user dials out through an unauthorized connection, an attacker could subvert your network through this backdoor. Therefore, you must implement a firewall policy.
Obviously, the firewall and the firewall policy are two distinct things that require their own planning and implementation. A weakness in the policy or the inability to enforce the policy will weaken any protection provided by even the best firewalls. If internal users find your policies too restrictive, they may go around them by connecting to the Internet through a personal modem. The firewall in this case is useless. You may not even know your systems are under attack because the firewall is guarding the wrong entrance
Internet FAQ top