Until the firewall is enabled to actively communicate with other
security components, it will continue to fall short of its mission
to protect private networks from compromise
The failure of the traditional firewall to live up to its
impenetrable image is not limited to the relative strength or
weakness of individual firewall products. While some standalone
firewalls are clearly more secure than others are, none are capable
of adequately protecting corporate assets on their own. It is a
critical mistake to assume that simply erecting any standalone
firewall in front of a private network is sufficient to protect it
from attack.
Anyone who doubts that traditional firewalls are failing need only
look at the mounting evidence. While virtually every networked
company today either owns a firewall or connects to the Internet
through a managed firewall service, security breaches are actually
increasing at an alarming rate. Many breaches, such as the recent
high profile break-ins at the NY Times, Yahoo, and the Pentagon,
make headlines around the world. The vast majority, of course, are
never reported. Confidential data collected by the Computer
Security Institute (CSI) last year estimated the average annual
loss for computer theft in North America at more than $400,000 per
company, not including personnel costs such as system recovery,
research time and lost productivity. A recent study from the
American Society for Industrial Security estimated the total direct
and indirect losses from all intellectual property crime worldwide
at a staggering $24 billion annually.Not only are traditional
firewalls being bypassed on a daily basis, they are completely
incapable of alerting you to most compromises, even after the fact.
And the problem is not limited to external hackers. In virtually
every company, internal employees and contractors have relatively
easy access to data on "protected" systems without ever going
through the firewall. What is the cost of a contractor accessing
personnel records on your HR server or downloading your company
customer database? If you think such breaches are not occurring in
your company, it may be time to think again. Losses such as these
are not limited to typical high-risk industries. In perhaps the
most frightening statistic of all, the FBI and CSI estimated last
year that as many as 97 percent of all computer security breaches
today go completely undetected.The solution to this growing problem
will never be found by simply improving the security technology of
traditional firewall products. What's needed is an entirely new
model of perimeter security that recognises the strengths of the
firewall as an enforcement point, then empowers it to "actively"
communicate with the rest of the network, responding to new attacks
and modifying security measures accordingly. What is required is a
distributed firewall system that integrates alarms, scanners,
detectors and central monitoring communications to effectively
prevent security breaches both inside and outside the network.
What's needed is an "Active Firewall".
What is a Firewall?It
is virtually impossible to compete in today's fast-paced business
environment without connecting your private network to the public
Internet. Your employees need to rapidly access and share
information with partners, customers and the world at large if you
are to stay ahead of the competition. Unfortunately, such
connectivity provides an easy path for untrusted parties on the
outside to penetrate a company's private network and access or
tamper with internal information and resources. Similar issues
arise when interconnecting parts of an internal enterprise network
create a broad intranet or wide area network. Despite the focus on
protecting networks from external hackers, most security experts
now believe that more than half of all security breaches originate
from internal employees or contractors.A firewall is essentially a
security enforcement point that separates a trusted network from an
untrusted one. Firewalls screen all connections between two
networks, determining which traffic should be allowed and which
should be disallowed based on some form of security policy
decisions determined in advanced by the security
administrator.Firewalls are most commonly used to protect an
internal corporate network from the public Internet, but are
increasingly being deployed internally as well to separate
individual departments from the rest of the network. Using
firewalls throughout an internal network gives security
administrators the ability to apply different access control rules
across a variety of working groups and network subnets as
appropriate. Internal firewalls also enhance security by providing
a layer of protection against internal breaches. Setting up a
separate firewall in front of the HR department, for example, would
make it far more difficult for engineers in the internal software
development group to penetrate sensitive HR data.
Firewalls alone
are not enough?Even most firewall vendors now admit that
firewalls by themselves are insufficient to protect an
interconnected network from intrusion. While firewalls are an
excellent enforcement point to examine attempted connections to a
protected network, there are many other vulnerabilities that
firewalls are simply not designed to address.Consider for a moment
the physical security components that protect a public building
such as a museum. Each of these components is an integral part of a
complete security system designed to keep out intruders. No single
element is sufficient in and of itself.
Guards at the doorIn
a secured facility such as a museum, security guards are stationed
at each of the perimeter doors. All other doors and windows are
securely locked to ensure that entry can be gained only by passing
through a guarded door. The primary job of each guard, of course,
is to ensure that no unauthorised personnel gain entry through that
door. In a large museum, you will also find guards posted at
internal doors between adjoining wings of the museum.In a computer
network, firewalls play the role of the security guard, scanning
all network traffic to determine which connections should be
allowed and which should be rejected. Guards protecting internal
wings of a large facility are analogous to Intranet firewalls
placed in front of individual departments or internal
facilities.
Motion sensors, security cameras and alarmsIn
addition to posting guards at each entrance point, museums also
typically install motion sensors on valuable exhibits. If anyone in
the building attempts to tamper with a protected painting or
artefact, an alarm sounds. Similar alarms may be installed on
interior doors that lead to private offices, exhibit storage or
other confidential areas. Security cameras will also be installed
near important exhibits to record suspicious activity and create a
record for analysis if break-in or tampering is suspected.In a
network environment, this role is played by real-time intrusion
protection products. Intrusion protection sensors watch internal
network traffic and specific servers in real time for signs of
attack. If penetration is detected, these systems can trigger
alerts to an administrator warning of a potential attack in
progress. Intrusion protection sensors also provide security
administrators with log files that serve as an internal security
audit trail. Intrusion protection sensors are often the only way to
detect security breaches that originate inside the firewall.
Intrusion protection sensors also provide a second tier of security
against outside hackers who either gained access through the
firewall or were able to bypass its security.
Metal
detectorsWhile a patron entering our museum may look harmless,
we may also want him or her to pass through a metal detector at the
main entrance to ensure that no dangerous objects enters the
museum. If an object such as a pocketknife is rejected by the
museum, but has been carried in without malicious intent, it may be
possible to simply confiscate the banned item and allow entrance to
the patron who brought it.In the same way, network security
administrators should add scanners at each Internet gateway to scan
for the presence of malicious code such as viruses, Trojans or
hostile Java and ActiveX applets. Viruses that have infected an
otherwise secure email transmission may be removed at the gateway,
allowing the original message to continue as a clean
transmission.
Testing the locksAnother critical aspect of
securing a physical building is the process of routinely testing
the various doors, windows and security systems to ensure that
everything is working properly and that no new security holes have
opened up. Because a museum is filled with people each day, both
employees and visitors, it is critical to check the locks at the
end of each day to ensure no alternative entry points are left open
inadvertently.In a network security environment, security
vulnerability scanners play this role. A vulnerability scanner is
essentially a powerful hacker tool that allows network security
administrators to routinely test their own network for potential
weaknesses or security holes. These tools generate reports that
identify any potential vulnerabilities, rank their importance and
offer suggestions for how they can be secured.
Card entry
systemsA large museum may also install card-entry systems for
entry by museum administrators or other authorised personnel
without the necessity of staffing guards to personally verify
identification. Such entry systems might be placed at the external
gate to provide museum officials with out of hours access.
Additional card entry systems might be placed at internal office
doors or other secured internal rooms to allow authorised entry
based on a pre-established set of access rights for that
individual. Such card key systems often require both the card and a
PIN (personal identification number) for entry.In a network
security environment, card-entry systems are analogous to
encryption and authentication mechanisms such as virtual private
network (VPN) software. VPN solutions allow authorised individuals,
business partners and remote offices to verify their identity
electronically to gain access into secured areas of a private
network from a remote location. Some VPNs are entirely software
based. Others require a card (token) as an additional security
measure.
Putting it all togetherCreating a network
environment that is secure from both internal and external
compromise clearly requires more than just installing a firewall at
the Internet gateway. What's required is a more comprehensive
distributed firewall system incorporating complementary solutions
such as intrusion protection, vulnerability scanning, virus and
malicious code scanning, virtual private networking and internally
deployed firewalls. Companies who rely on a standalone firewall at
the Internet gateway are locking the door, but leaving all the
windows open. Regardless of how good the lock may be, everything
inside is at risk.
Building an "Active Firewall System"Having
all the right elements of a perimeter security system in place,
while essential, is not an end unto itself. In a physical security
environment, we take for granted that the various security
components "actively" interact with each other, working in concert
to share information and adapt to new threats as they occur. When a
guard hears an alarm go off, he adapts his actions accordingly. He
might, for example, temporarily block all passage through his door
until the incident is resolved. Or he might simply increase the
level of security checks conducted on those leaving the museum for
a period of time. If a side access door is discovered to have a
broken lock during a routine check, security is increased at that
exit until the problem can be resolved. If a guard spots suspicious
activity or an attempted break-in, he immediately radios an
incident report to the central monitoring room so that other guards
and those watching the security cameras can be on the lookout.What
if our museum guard simply ignored alarms, turned off his radio and
failed to notify anyone when a break-in attempt was observed? He
would probably be fired for incompetence. Yet we fully accept this
kind of static, unresponsive performance from our corporate
firewalls today. As long as they "guard their door" effectively, we
are satisfied.Unfortunately, the types of "active" communications
we take for granted in the arena of physical security simply have
not been possible in the realm of network security. Traditional
firewalls do not communicate with vulnerability scanners. They are
completely deaf to the alarms of intrusion protection monitors.
When potential security incidents do occur, traditional firewalls
do not increase the detail in their log files to create a better
audit trail. In most cases, each individual component is developed
by a separate vendor, further complicating any potential "active
security" integration. Until the firewall is enabled to actively
communicate with other security components, however, it will
continue to fall short of its mission to protect private networks
from compromise.
Mike Burkitt