[ISN] Human errors leave systems vulnerable, not faulty firewalls

From: mea culpa (jerichoat_private)
Date: Thu Sep 24 1998 - 18:36:59 PDT

  • Next message: mea culpa: "[ISN] "Hidden Security Risk" Best Foiled With Enforceable Messaging Policy"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-Transfer-Encoding: QUOTED-PRINTABLE
    Content-ID: <Pine.SUN.3.96.980924193427.14838sat_private>
    Human errors leave systems vulnerable, not faulty firewalls
    September 11, 1998
    Web posted at 4:15 PM EDT
    by Gary H. Anthes
    (IDG) -- The leading Internet firewalls are a little like today's popular
    automobiles: Although there are many differences among them, most modern
    cars can get you from Point A to Point B reliably, safely and efficiently.=
    Crashes and other failures are most likely due to user error, as they are
    for firewalls.=20
    Indeed, a particular firewall may be better able than others to meet a
    given user's unique needs, and experts say it pays to compare features.=20
    But they say it is more important how you set up and maintain a firewall =
    and how carefully you craft the security policies it's there to enforce =97
    than which product you choose.=20
    That advice was borne out by a recent exercise conducted by Computerworld
    and Federal Computer Week in which computer security experts, armed with
    sophisticated hacking tools, repeatedly attacked four of the leading
    network firewalls. Each product performed pretty much as advertised, and
    all protected internal systems from penetration.=20
    However, the firewalls didn't perform perfectly, either because of
    inherent flaws in the firewalls, flaws in the underlying operating system
    or suboptimum configuration by the user. One of the firewalls was knocked
    out by a denial-of-service attack. And each of the three attack teams
    gleaned a lot of information about systems behind the firewalls,
    information better kept hidden.=20
    The denial-of-service attack, launched by Security Design International,
    Inc. using a freeware attack tool called Targa, brought down one of the
    firewalls, effectively stifling all incoming and outgoing traffic until
    the computer was rebooted.  Another firewall withstood the Targa attack
    because it had the very latest NT security patches applied, says Bob
    Stratton, a vice president at the Falls Church, Va.-based company. Time
    and logistics prevented the team from launching Targa at the remaining two
    firewalls.  A network outage brought on by a denial-of-service attack may
    be more costly to a company than a theft of information, experts say. "If
    you're going to use technology that forces all network traffic through a
    choke point =97 and for good reason =97 you'd better make sure it stays up =
    the face of adversity,"  Stratton says.=20
    The attack teams also were able to learn more about systems behind the
    firewall than a firewall and its administrator should allow in the
    interests of security. For example, the Ernst & Young LLP team was able to
    learn the identities of the LAN server behind the firewall and various
    services running on it.  "Knowing that [Microsoft] Exchange was running
    there, we had the potential to further exploit the box by knowing certain
    Exchange vulnerabilities," says Eric Schultze, a senior manager in Ernst &
    Young's security practice.=20
    Ernst & Young also was able to determine the address of the internal
    network, the status of various NT ports and other information. The ability
    to get this information is due in part to security weaknesses in NT but
    could have been blocked by the firewalls, Schultze says.=20
    The Deloitte & Touche team learned the identities of the makers of
    internal server software, hardware and two of the firewall vendors. That
    information should have been hidden, says Fred Rica, a partner and attack
    team member.  "You gather bits and pieces of information that by
    themselves seem innocuous, and all of a sudden you can build a picture of
    what this thing looks like," Rica says. "The more information you have,
    the higher the likelihood that eventually you'll be successful."=20
    "Most of the top firewalls offer a comparable level of security," says
    George Kurtz, a senior manager at Ernst & Young. "It's a function of how
    well they are implemented." He called firewall certification programs by
    test labs "baloney" because they can't address how users configure and
    maintain the products.=20
    Rica says firewall configuration =97 in which users specify which network
    services will be permitted and which blocked =97 must be dictated by
    corporate security policies. And those policies should be driven by
    business objectives. "What is the company trying to do on the Internet?
    Electronic commerce? Web hosting? Just E-mail?"  he asks. He advises a
    conservative approach in which the firewall denies all services except
    those explicitly turned on by the customer, rather than one in which
    anything goes except services explicitly blocked.=20
    A simplistic reliance on checklists of features may lead buyers to omit a
    comprehensive, pre-installation analysis of risks, Stratton says. "I have
    a concern whether the public is being served by the commodity marketing of
    this kind of product," he says. "People say, 'We need a firewall,' when
    what they really mean is, 'We need security against network threats.' They
    are just buying a product and installing it, and I'm not convinced it's
    better than nothing in that case."=20
    False security?=20
    Indeed, a firewall may confer a false sense of security by causing users
    to overlook flaws in the underlying operating system, particularly Windows
    NT, Stratton says.  "NT has a pretty bad track record, and a terrible
    track record in terms of staying up," he says.=20
    The denial-of-service attack succeeded because of a flaw in NT that might
    have been fixed had the user applied the latest Microsoft patches. In
    addition, some vendors include their own versions of NT networking code in
    their firewall software in order to address NT's security weaknesses.=20
    Stratton says Unix, the original platform for most of the major firewall
    products, is at present better than NT from a security point of view.
    "Just because you have a corporate policy for NT on the desktop doesn't
    mean you should have it on your firewall," he says.=20
    Adds Schultze, "When some of the Unix vendors ported their firewalls to
    NT, the feature set was there, but it was residing on top of an operating
    system that hadn't been hardened." Or, even if it had been fortified
    against attacks from the outside, it was left vulnerable to insiders'
    hacks, he says.=20
    Ernst & Young offers a list of 10 things users should do to make NT
    firewalls more secure.=20
    A firewall may also confer a false sense of security by not safeguarding
    against the worst threat, says Ira Winkler, president of Information
    Security Advisers Group in Severna Park, Md., and a consultant to the
    Computerworld/Federal Computer Week firewall exercise.  "Firewalls can
    keep outsiders out and, to a certain extent, keep users from doing stupid
    things," he says.  "The major problem is =97 and always will be =97 insider=
    abusing the system."=20
    Disgruntled ex-employees might delight in bringing down the networks of
    their former employers via a denial-of-service attack, Winkler adds.
    "Firewalls aren't just meant to keep attackers out, they are meant to keep
    a network up and running."=20
    Attend to the basics, such as applying vendors' software patches to fix
    security vulnerabilities, Winkler advises.  "When a new vulnerability is
    found, it's critical to install the latest security patch on your
    firewall," he says. "But most administrators do not even know what a
    security patch is."=20
    Rica advises clients to use the same kinds of scanning tools he used in
    the attack to find vulnerabilities in their own systems. "We advise
    scanning from the outside and from the inside network, and scanning and
    analyzing the underlying operating system the firewall sits on," he says.=
    Winkler acknowledges that configuring a firewall is a balancing act. "The
    perfect firewall is a wire cutter,"  he says. "But a firewall is intended
    to provide functionality as well as security. The more functionality you
    provide, the more vulnerability you introduce."=20
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:44 PDT