This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------69A74A5C558F Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: <Pine.SUN.3.96.980924193427.14838sat_private> http://cnn.com/TECH/computing/9809/11/firewall.idg/index.html Human errors leave systems vulnerable, not faulty firewalls September 11, 1998 Web posted at 4:15 PM EDT by Gary H. Anthes (IDG) -- The leading Internet firewalls are a little like today's popular automobiles: Although there are many differences among them, most modern cars can get you from Point A to Point B reliably, safely and efficiently.= =20 Crashes and other failures are most likely due to user error, as they are for firewalls.=20 Indeed, a particular firewall may be better able than others to meet a given user's unique needs, and experts say it pays to compare features.=20 But they say it is more important how you set up and maintain a firewall = =97 and how carefully you craft the security policies it's there to enforce =97 than which product you choose.=20 That advice was borne out by a recent exercise conducted by Computerworld and Federal Computer Week in which computer security experts, armed with sophisticated hacking tools, repeatedly attacked four of the leading network firewalls. Each product performed pretty much as advertised, and all protected internal systems from penetration.=20 However, the firewalls didn't perform perfectly, either because of inherent flaws in the firewalls, flaws in the underlying operating system or suboptimum configuration by the user. One of the firewalls was knocked out by a denial-of-service attack. And each of the three attack teams gleaned a lot of information about systems behind the firewalls, information better kept hidden.=20 The denial-of-service attack, launched by Security Design International, Inc. using a freeware attack tool called Targa, brought down one of the firewalls, effectively stifling all incoming and outgoing traffic until the computer was rebooted. Another firewall withstood the Targa attack because it had the very latest NT security patches applied, says Bob Stratton, a vice president at the Falls Church, Va.-based company. Time and logistics prevented the team from launching Targa at the remaining two firewalls. A network outage brought on by a denial-of-service attack may be more costly to a company than a theft of information, experts say. "If you're going to use technology that forces all network traffic through a choke point =97 and for good reason =97 you'd better make sure it stays up = in the face of adversity," Stratton says.=20 The attack teams also were able to learn more about systems behind the firewall than a firewall and its administrator should allow in the interests of security. For example, the Ernst & Young LLP team was able to learn the identities of the LAN server behind the firewall and various services running on it. "Knowing that [Microsoft] Exchange was running there, we had the potential to further exploit the box by knowing certain Exchange vulnerabilities," says Eric Schultze, a senior manager in Ernst & Young's security practice.=20 Ernst & Young also was able to determine the address of the internal network, the status of various NT ports and other information. The ability to get this information is due in part to security weaknesses in NT but could have been blocked by the firewalls, Schultze says.=20 The Deloitte & Touche team learned the identities of the makers of internal server software, hardware and two of the firewall vendors. That information should have been hidden, says Fred Rica, a partner and attack team member. "You gather bits and pieces of information that by themselves seem innocuous, and all of a sudden you can build a picture of what this thing looks like," Rica says. "The more information you have, the higher the likelihood that eventually you'll be successful."=20 "Most of the top firewalls offer a comparable level of security," says George Kurtz, a senior manager at Ernst & Young. "It's a function of how well they are implemented." He called firewall certification programs by test labs "baloney" because they can't address how users configure and maintain the products.=20 Rica says firewall configuration =97 in which users specify which network services will be permitted and which blocked =97 must be dictated by corporate security policies. And those policies should be driven by business objectives. "What is the company trying to do on the Internet? Electronic commerce? Web hosting? Just E-mail?" he asks. He advises a conservative approach in which the firewall denies all services except those explicitly turned on by the customer, rather than one in which anything goes except services explicitly blocked.=20 A simplistic reliance on checklists of features may lead buyers to omit a comprehensive, pre-installation analysis of risks, Stratton says. "I have a concern whether the public is being served by the commodity marketing of this kind of product," he says. "People say, 'We need a firewall,' when what they really mean is, 'We need security against network threats.' They are just buying a product and installing it, and I'm not convinced it's better than nothing in that case."=20 False security?=20 Indeed, a firewall may confer a false sense of security by causing users to overlook flaws in the underlying operating system, particularly Windows NT, Stratton says. "NT has a pretty bad track record, and a terrible track record in terms of staying up," he says.=20 The denial-of-service attack succeeded because of a flaw in NT that might have been fixed had the user applied the latest Microsoft patches. In addition, some vendors include their own versions of NT networking code in their firewall software in order to address NT's security weaknesses.=20 Stratton says Unix, the original platform for most of the major firewall products, is at present better than NT from a security point of view. "Just because you have a corporate policy for NT on the desktop doesn't mean you should have it on your firewall," he says.=20 Adds Schultze, "When some of the Unix vendors ported their firewalls to NT, the feature set was there, but it was residing on top of an operating system that hadn't been hardened." Or, even if it had been fortified against attacks from the outside, it was left vulnerable to insiders' hacks, he says.=20 Ernst & Young offers a list of 10 things users should do to make NT firewalls more secure.=20 A firewall may also confer a false sense of security by not safeguarding against the worst threat, says Ira Winkler, president of Information Security Advisers Group in Severna Park, Md., and a consultant to the Computerworld/Federal Computer Week firewall exercise. "Firewalls can keep outsiders out and, to a certain extent, keep users from doing stupid things," he says. "The major problem is =97 and always will be =97 insider= s abusing the system."=20 Disgruntled ex-employees might delight in bringing down the networks of their former employers via a denial-of-service attack, Winkler adds. "Firewalls aren't just meant to keep attackers out, they are meant to keep a network up and running."=20 Attend to the basics, such as applying vendors' software patches to fix security vulnerabilities, Winkler advises. "When a new vulnerability is found, it's critical to install the latest security patch on your firewall," he says. "But most administrators do not even know what a security patch is."=20 Rica advises clients to use the same kinds of scanning tools he used in the attack to find vulnerabilities in their own systems. "We advise scanning from the outside and from the inside network, and scanning and analyzing the underlying operating system the firewall sits on," he says.= =20 Winkler acknowledges that configuring a firewall is a balancing act. "The perfect firewall is a wire cutter," he says. "But a firewall is intended to provide functionality as well as security. The more functionality you provide, the more vulnerability you introduce."=20 --------------69A74A5C558F-- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:44 PDT