Real World Example
We installed a SonicWall 5060 at work last week. We had some trouble at first, due to miscommunication. We wanted a transparent bridging firewall -- something that the 5060 can do. Transparent bridging is a new feature of the SonicWall firmware, though, so the installation engineer wasn't familiar with it. When we spoke about "transparent bridging", he thought we were talking about SonicWall's "layer 3 transparent firewall" configuration.
The installation engineer used his cellular phone to call his senior technician, while I called OSU's main network guy. The argument that ensued -- using my phone as the medium -- was interesting, and not entirely pleasant. We ultimately un-did what we had done so far, reverting back to our original configuration without the SonicWall. That evening, the installation engineer educated himself on the layer 2 bridge capability of the SonicWall. By lunch time the following day, the firewall was up and running without incident.
Yesterday a systems engineer in another college, with whom I sometimes eat lunch, asked if he could see the firewall and its management interface. I was only too happy to oblige. After a quick inspection of the physical box, we sat down in my office to walk through the web-based administrative tool. I showed the basics of how to configure the firewall interfaces, how to create groups of objects, and how to apply firewall rules to those groups.
Trying to show off a little, I said "And here's where we can see a snapshot of current Internet usage... See, we can see all traffic by protocol, or all traffic by destination address to see which sites are super popular, or even all traffic by source address. For example, this computer has ... wow ... 104 open connections to other systems on the Internet..." I shifted gears and identified that the system in question was busily serving BitTorrent streams. Additional investigation revealed that the machine had enough open ports as to cause alarm, and to merit investigation.
My colleague followed along as my boss and I set out to evaluate the situation, after identifying the location of this system. It turned out to be (mostly) uninteresting, and was dealt with quickly. The offender wasn't likely to attract the attention of the MPAA or RIAA given what was being shared, but nonetheless it wasn't an appropriate use of the department network.
My colleague remarked "It looks like this firewall is causing you work, not alleviating it!" And while that's true to a degree, prior to the installation of this firewall we had no meaningful way to identify this sort of thing until the University's security group would alert us to a problem. By then, of course, it was usually too late.