[ The opinions expressed by authors on Linux Today are their
own. They speak only for themselves and not for Linux Today or
internet.com. ]
By Kelvin Koh
“We have a $100,000 firewall that can deny all crackers.” Yeah
right. Does it sound familiar to you? Probably.
Businesses of all sorts, from book retailers to banks are
rushing to get on the Internet. Many companies have spent huge sums
of dollars to put up pretty pages, marketing campaigns. However,
there is little effort invested in protecting their new age gems. I
have encountered several companies with big web businesses who
failed to install a single firewall in their premises. After
several days and weeks or persuasion, some heeded my advice to
install firewalls, while some remained complacent about their
‘armoured servers from ABC vendor’.
All security implementations are about striking an appropriate
balance between usability and security. Increased security means
decreased usability. For those who are somewhat protected by a
well-configured firewall, good for you. But it may not be enough.
I’ll show you 3 scenarios where firewalls are not very helpful.
Web Applications
A company places a web application server behind a
packet-filtering firewall, with rules literally denying all packets
except those with a match of remote port 80. While web traffic can
pass through, the network firewall is unable to determine whether
the source packets are from a cracker’s box, thus application
security comes into picture. Web programs written without
undergoing proper security audit, such as CGI forms on a UNIX host
which accepts backticks (“) for processing in situations where
only numbers are needed, are quite likely to be vulnerable to CGI
abuse.
Internal Security
According to an unnamed source, there is a higher probability of
security breaches originating from within the company than from an
external force. Corporate executives often store sensitive data in
their office computers without proper encryption. Emails too,
remain plain text in their email clients. A jealous or abusive
colleague with 24×7 access to the office premises may return at odd
hours to peep into another staff’s computer. Should the company
have enforced a more sophisicated physical access list based on
time and staffs’ position, such cracking attempt can be prevented.
Users who wish to protect sensitive information should turn to
GnuPG, an opensource
alternative to PGP from NAI.
Computer Viruses
In recent months, malicious computer viruses are spreading
rapidly and causing damage to computers all around the world. By
following a computer security bulletin board, you will notice many
of these viruses are placed as attachments in emails clothed with
an innocent outlook. To reduce the risks of transmission through
this popular channel, email gateways should execute virus scanning
to verify the email’s integrity before any user can proceed to
download it. If your MTA cannot accept virus scanning plug-ins,
it’s time to look around.
Firewalls, though unable to ensure 100% security, is highly
important. It serves as the front layer of security. A layered
security approach should be put in use to achieve a higher level of
security.
“Firewalls are not important for old-economoy business…” –
a friend
I beg to differ (no intent of offence to my friend), how do you
define old economy business? Any business which has a
private or public computer network should enforce security
policies, audits, etc, to ensure the integrity of their data. Some
say banks are old economy. It will be disastrous if they
do not have firewalls as part of their information security
enforcement.
Kelvin Koh, 22 Oct 2000.
Comments, thoughts, flames? Email me at kelvin@acks.org.