The failure of the traditional firewall

Until the firewall is enabled to actively communicate with other security components, it will continue to fall short of its...

Until the firewall is enabled to actively communicate with other security components, it will continue to fall short of its mission to protect private networks from compromise

The failure of the traditional firewall to live up to its impenetrable image is not limited to the relative strength or weakness of individual firewall products. While some standalone firewalls are clearly more secure than others are, none are capable of adequately protecting corporate assets on their own. It is a critical mistake to assume that simply erecting any standalone firewall in front of a private network is sufficient to protect it from attack.

Anyone who doubts that traditional firewalls are failing need only look at the mounting evidence. While virtually every networked company today either owns a firewall or connects to the Internet through a managed firewall service, security breaches are actually increasing at an alarming rate. Many breaches, such as the recent high profile break-ins at the NY Times, Yahoo, and the Pentagon, make headlines around the world. The vast majority, of course, are never reported. Confidential data collected by the Computer Security Institute (CSI) last year estimated the average annual loss for computer theft in North America at more than $400,000 per company, not including personnel costs such as system recovery, research time and lost productivity. A recent study from the American Society for Industrial Security estimated the total direct and indirect losses from all intellectual property crime worldwide at a staggering $24 billion annually.

Not only are traditional firewalls being bypassed on a daily basis, they are completely incapable of alerting you to most compromises, even after the fact. And the problem is not limited to external hackers. In virtually every company, internal employees and contractors have relatively easy access to data on "protected" systems without ever going through the firewall. What is the cost of a contractor accessing personnel records on your HR server or downloading your company customer database? If you think such breaches are not occurring in your company, it may be time to think again. Losses such as these are not limited to typical high-risk industries. In perhaps the most frightening statistic of all, the FBI and CSI estimated last year that as many as 97 percent of all computer security breaches today go completely undetected.

The solution to this growing problem will never be found by simply improving the security technology of traditional firewall products. What's needed is an entirely new model of perimeter security that recognises the strengths of the firewall as an enforcement point, then empowers it to "actively" communicate with the rest of the network, responding to new attacks and modifying security measures accordingly. What is required is a distributed firewall system that integrates alarms, scanners, detectors and central monitoring communications to effectively prevent security breaches both inside and outside the network. What's needed is an "Active Firewall".

What is a Firewall?

It is virtually impossible to compete in today's fast-paced business environment without connecting your private network to the public Internet. Your employees need to rapidly access and share information with partners, customers and the world at large if you are to stay ahead of the competition. Unfortunately, such connectivity provides an easy path for untrusted parties on the outside to penetrate a company's private network and access or tamper with internal information and resources. Similar issues arise when interconnecting parts of an internal enterprise network create a broad intranet or wide area network. Despite the focus on protecting networks from external hackers, most security experts now believe that more than half of all security breaches originate from internal employees or contractors.

A firewall is essentially a security enforcement point that separates a trusted network from an untrusted one. Firewalls screen all connections between two networks, determining which traffic should be allowed and which should be disallowed based on some form of security policy decisions determined in advanced by the security administrator.

Firewalls are most commonly used to protect an internal corporate network from the public Internet, but are increasingly being deployed internally as well to separate individual departments from the rest of the network. Using firewalls throughout an internal network gives security administrators the ability to apply different access control rules across a variety of working groups and network subnets as appropriate. Internal firewalls also enhance security by providing a layer of protection against internal breaches. Setting up a separate firewall in front of the HR department, for example, would make it far more difficult for engineers in the internal software development group to penetrate sensitive HR data.

Firewalls alone are not enough?

Even most firewall vendors now admit that firewalls by themselves are insufficient to protect an interconnected network from intrusion. While firewalls are an excellent enforcement point to examine attempted connections to a protected network, there are many other vulnerabilities that firewalls are simply not designed to address.

Consider for a moment the physical security components that protect a public building such as a museum. Each of these components is an integral part of a complete security system designed to keep out intruders. No single element is sufficient in and of itself.

Guards at the door

In a secured facility such as a museum, security guards are stationed at each of the perimeter doors. All other doors and windows are securely locked to ensure that entry can be gained only by passing through a guarded door. The primary job of each guard, of course, is to ensure that no unauthorised personnel gain entry through that door. In a large museum, you will also find guards posted at internal doors between adjoining wings of the museum.

In a computer network, firewalls play the role of the security guard, scanning all network traffic to determine which connections should be allowed and which should be rejected. Guards protecting internal wings of a large facility are analogous to Intranet firewalls placed in front of individual departments or internal facilities.

Motion sensors, security cameras and alarms

In addition to posting guards at each entrance point, museums also typically install motion sensors on valuable exhibits. If anyone in the building attempts to tamper with a protected painting or artefact, an alarm sounds. Similar alarms may be installed on interior doors that lead to private offices, exhibit storage or other confidential areas. Security cameras will also be installed near important exhibits to record suspicious activity and create a record for analysis if break-in or tampering is suspected.

In a network environment, this role is played by real-time intrusion protection products. Intrusion protection sensors watch internal network traffic and specific servers in real time for signs of attack. If penetration is detected, these systems can trigger alerts to an administrator warning of a potential attack in progress. Intrusion protection sensors also provide security administrators with log files that serve as an internal security audit trail. Intrusion protection sensors are often the only way to detect security breaches that originate inside the firewall. Intrusion protection sensors also provide a second tier of security against outside hackers who either gained access through the firewall or were able to bypass its security.

Metal detectors

While a patron entering our museum may look harmless, we may also want him or her to pass through a metal detector at the main entrance to ensure that no dangerous objects enters the museum. If an object such as a pocketknife is rejected by the museum, but has been carried in without malicious intent, it may be possible to simply confiscate the banned item and allow entrance to the patron who brought it.

In the same way, network security administrators should add scanners at each Internet gateway to scan for the presence of malicious code such as viruses, Trojans or hostile Java and ActiveX applets. Viruses that have infected an otherwise secure email transmission may be removed at the gateway, allowing the original message to continue as a clean transmission.

Testing the locks

Another critical aspect of securing a physical building is the process of routinely testing the various doors, windows and security systems to ensure that everything is working properly and that no new security holes have opened up. Because a museum is filled with people each day, both employees and visitors, it is critical to check the locks at the end of each day to ensure no alternative entry points are left open inadvertently.

In a network security environment, security vulnerability scanners play this role. A vulnerability scanner is essentially a powerful hacker tool that allows network security administrators to routinely test their own network for potential weaknesses or security holes. These tools generate reports that identify any potential vulnerabilities, rank their importance and offer suggestions for how they can be secured.

Card entry systems

A large museum may also install card-entry systems for entry by museum administrators or other authorised personnel without the necessity of staffing guards to personally verify identification. Such entry systems might be placed at the external gate to provide museum officials with out of hours access. Additional card entry systems might be placed at internal office doors or other secured internal rooms to allow authorised entry based on a pre-established set of access rights for that individual. Such card key systems often require both the card and a PIN (personal identification number) for entry.

In a network security environment, card-entry systems are analogous to encryption and authentication mechanisms such as virtual private network (VPN) software. VPN solutions allow authorised individuals, business partners and remote offices to verify their identity electronically to gain access into secured areas of a private network from a remote location. Some VPNs are entirely software based. Others require a card (token) as an additional security measure.

Putting it all together

Creating a network environment that is secure from both internal and external compromise clearly requires more than just installing a firewall at the Internet gateway. What's required is a more comprehensive distributed firewall system incorporating complementary solutions such as intrusion protection, vulnerability scanning, virus and malicious code scanning, virtual private networking and internally deployed firewalls. Companies who rely on a standalone firewall at the Internet gateway are locking the door, but leaving all the windows open. Regardless of how good the lock may be, everything inside is at risk.

Building an "Active Firewall System"

Having all the right elements of a perimeter security system in place, while essential, is not an end unto itself. In a physical security environment, we take for granted that the various security components "actively" interact with each other, working in concert to share information and adapt to new threats as they occur. When a guard hears an alarm go off, he adapts his actions accordingly. He might, for example, temporarily block all passage through his door until the incident is resolved. Or he might simply increase the level of security checks conducted on those leaving the museum for a period of time. If a side access door is discovered to have a broken lock during a routine check, security is increased at that exit until the problem can be resolved. If a guard spots suspicious activity or an attempted break-in, he immediately radios an incident report to the central monitoring room so that other guards and those watching the security cameras can be on the lookout.

What if our museum guard simply ignored alarms, turned off his radio and failed to notify anyone when a break-in attempt was observed? He would probably be fired for incompetence. Yet we fully accept this kind of static, unresponsive performance from our corporate firewalls today. As long as they "guard their door" effectively, we are satisfied.

Unfortunately, the types of "active" communications we take for granted in the arena of physical security simply have not been possible in the realm of network security. Traditional firewalls do not communicate with vulnerability scanners. They are completely deaf to the alarms of intrusion protection monitors. When potential security incidents do occur, traditional firewalls do not increase the detail in their log files to create a better audit trail. In most cases, each individual component is developed by a separate vendor, further complicating any potential "active security" integration. Until the firewall is enabled to actively communicate with other security components, however, it will continue to fall short of its mission to protect private networks from compromise.

Mike Burkitt


Read more on Antivirus, firewall and IDS products