[ISN] Come on, own up: IT managers leave firewalls open for hackers

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 23:02:55 PST

  • Next message: InfoSec News: "[ISN] Navy creates network command"

    Tuesday 26th March 2002
    Too little knowledge can be a dangerous thing...
    The number of flaws reported in firewalls have rocketed by nearly 50
    per cent over the past four years because IT pros don't know how to
    configure them.
    A report by security testing specialist NTA Monitor found that flaws
    in firewalls have increased by 45 per cent since 1998.
    The researchers said the holes, which occur mainly because of poor
    configuration and sloppy patching, could give hackers a way in to
    corporate networks.
    Companies have not learned how to install their firewalls properly,
    according to Roy Hills, technical director at NTA Monitor. He said:  
    "Three years ago firewalls were relatively rare, only firms who really
    needed them had them - coupled with the expertise.
    "Nowadays there are so many companies who need firewalls because of
    the net. But they are not any easier to configure today than they were
    five years ago."
    But he did not put all the blame on users, adding that vendors have
    not made things easy.
    "There should be a way to check how you have configured your firewall.  
    It should be made much easier to get it right and much harder how to
    get it wrong," he said.
    Many companies are unable to keep up with the latest vulnerabilities
    because of the misconfiguration problems, the study added.
    NTA Monitor said a flaw was recently identified in Checkpoint's most
    commonly used Fire Wall-1 product, which allowed potential hackers to
    access internal systems via HTTP, but only those companies who had
    failed configure the firewall correctly were affected.
    "This kind of attack could have been prevented by proper installation
    of the firewall," Hills said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 01:55:08 PST