ad info

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
Computing

From...

Human errors leave systems vulnerable, not faulty firewalls

September 11, 1998
Web posted at 4:15 PM EDT

by Gary H. Anthes

(IDG) -- The leading Internet firewalls are a little like today's popular automobiles: Although there are many differences among them, most modern cars can get you from Point A to Point B reliably, safely and efficiently.

Crashes and other failures are most likely due to user error, as they are for firewalls.

Indeed, a particular firewall may be better able than others to meet a given user's unique needs, and experts say it pays to compare features.

But they say it is more important how you set up and maintain a firewall and how carefully you craft the security policies it's there to enforce than which product you choose.

That advice was borne out by a recent exercise conducted by Computerworld and Federal Computer Week in which computer security experts, armed with sophisticated hacking tools, repeatedly attacked four of the leading network firewalls. Each product performed pretty much as advertised, and all protected internal systems from penetration.

However, the firewalls didn't perform perfectly, either because of inherent flaws in the firewalls, flaws in the underlying operating system or suboptimum configuration by the user. One of the firewalls was knocked out by a denial-of-service attack. And each of the three attack teams gleaned a lot of information about systems behind the firewalls, information better kept hidden.

MORE COMPUTING INTELLIGENCE
  IDG.net home page
  Computerworld's home page
  Computerworld "Emmerce"
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Questions about computers? Let IDG.net's editors help you
  Search IDG.net in 12 languages
  Subscribe to IDG.net's free daily newsletter for IT leaders
 News Radio
  Computerworld Minute
  Fusion audio primers
     

The denial-of-service attack, launched by Security Design International, Inc. using a freeware attack tool called Targa, brought down one of the firewalls, effectively stifling all incoming and outgoing traffic until the computer was rebooted. Another firewall withstood the Targa attack because it had the very latest NT security patches applied, says Bob Stratton, a vice president at the Falls Church, Va.-based company. Time and logistics prevented the team from launching Targa at the remaining two firewalls.

A network outage brought on by a denial-of-service attack may be more costly to a company than a theft of information, experts say. "If you're going to use technology that forces all network traffic through a choke point and for good reason you'd better make sure it stays up in the face of adversity," Stratton says.

The attack teams also were able to learn more about systems behind the firewall than a firewall and its administrator should allow in the interests of security. For example, the Ernst & Young LLP team was able to learn the identities of the LAN server behind the firewall and various services running on it. "Knowing that [Microsoft] Exchange was running there, we had the potential to further exploit the box by knowing certain Exchange vulnerabilities," says Eric Schultze, a senior manager in Ernst & Young's security practice.

Ernst & Young also was able to determine the address of the internal network, the status of various NT ports and other information. The ability to get this information is due in part to security weaknesses in NT but could have been blocked by the firewalls, Schultze says.

The Deloitte & Touche team learned the identities of the makers of internal server software, hardware and two of the firewall vendors. That information should have been hidden, says Fred Rica, a partner and attack team member. "You gather bits and pieces of information that by themselves seem innocuous, and all of a sudden you can build a picture of what this thing looks like," Rica says. "The more information you have, the higher the likelihood that eventually you'll be successful."

"Most of the top firewalls offer a comparable level of security," says George Kurtz, a senior manager at Ernst & Young. "It's a function of how well they are implemented." He called firewall certification programs by test labs "baloney" because they can't address how users configure and maintain the products.

Rica says firewall configuration in which users specify which network services will be permitted and which blocked must be dictated by corporate security policies. And those policies should be driven by business objectives. "What is the company trying to do on the Internet? Electronic commerce? Web hosting? Just E-mail?" he asks. He advises a conservative approach in which the firewall denies all services except those explicitly turned on by the customer, rather than one in which anything goes except services explicitly blocked.

A simplistic reliance on checklists of features may lead buyers to omit a comprehensive, pre-installation analysis of risks, Stratton says. "I have a concern whether the public is being served by the commodity marketing of this kind of product," he says. "People say, 'We need a firewall,' when what they really mean is, 'We need security against network threats.' They are just buying a product and installing it, and I'm not convinced it's better than nothing in that case."

False security?

Indeed, a firewall may confer a false sense of security by causing users to overlook flaws in the underlying operating system, particularly Windows NT, Stratton says. "NT has a pretty bad track record, and a terrible track record in terms of staying up," he says.

The denial-of-service attack succeeded because of a flaw in NT that might have been fixed had the user applied the latest Microsoft patches. In addition, some vendors include their own versions of NT networking code in their firewall software in order to address NT's security weaknesses.

Stratton says Unix, the original platform for most of the major firewall products, is at present better than NT from a security point of view. "Just because you have a corporate policy for NT on the desktop doesn't mean you should have it on your firewall," he says.

Adds Schultze, "When some of the Unix vendors ported their firewalls to NT, the feature set was there, but it was residing on top of an operating system that hadn't been hardened." Or, even if it had been fortified against attacks from the outside, it was left vulnerable to insiders' hacks, he says.

Ernst & Young offers a list of 10 things users should do to make NT firewalls more secure.

A firewall may also confer a false sense of security by not safeguarding against the worst threat, says Ira Winkler, president of Information Security Advisers Group in Severna Park, Md., and a consultant to the Computerworld/Federal Computer Week firewall exercise. "Firewalls can keep outsiders out and, to a certain extent, keep users from doing stupid things," he says. "The major problem is and always will be insiders abusing the system."

Disgruntled ex-employees might delight in bringing down the networks of their former employers via a denial-of-service attack, Winkler adds. "Firewalls aren't just meant to keep attackers out, they are meant to keep a network up and running."

Attend to the basics, such as applying vendors' software patches to fix security vulnerabilities, Winkler advises. "When a new vulnerability is found, it's critical to install the latest security patch on your firewall," he says. "But most administrators do not even know what a security patch is."

Rica advises clients to use the same kinds of scanning tools he used in the attack to find vulnerabilities in their own systems. "We advise scanning from the outside and from the inside network, and scanning and analyzing the underlying operating system the firewall sits on," he says.

Winkler acknowledges that configuring a firewall is a balancing act. "The perfect firewall is a wire cutter," he says. "But a firewall is intended to provide functionality as well as security. The more functionality you provide, the more vulnerability you introduce."

Related stories:
Latest Headlines

Today on CNN

Related IDG.net stories:

Note: Pages will open in a new browser window

External sites are not
endorsed by CNN Interactive.

SEARCH CNN.com
Enter keyword(s)   go    help

   
 

Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.