Linux Today: Linux News On Internet Time.

Firewalls and Security, Are They Important to YOUR Company?

Oct 22, 2000, 19:13 (0 Talkback[s])
(Other stories by Kelvin Koh)

[ The opinions expressed by authors on Linux Today are their own. They speak only for themselves and not for Linux Today or internet.com. ]

By Kelvin Koh

"We have a $100,000 firewall that can deny all crackers." Yeah right. Does it sound familiar to you? Probably.

Businesses of all sorts, from book retailers to banks are rushing to get on the Internet. Many companies have spent huge sums of dollars to put up pretty pages, marketing campaigns. However, there is little effort invested in protecting their new age gems. I have encountered several companies with big web businesses who failed to install a single firewall in their premises. After several days and weeks or persuasion, some heeded my advice to install firewalls, while some remained complacent about their 'armoured servers from ABC vendor'.

All security implementations are about striking an appropriate balance between usability and security. Increased security means decreased usability. For those who are somewhat protected by a well-configured firewall, good for you. But it may not be enough. I'll show you 3 scenarios where firewalls are not very helpful.

Web Applications

A company places a web application server behind a packet-filtering firewall, with rules literally denying all packets except those with a match of remote port 80. While web traffic can pass through, the network firewall is unable to determine whether the source packets are from a cracker's box, thus application security comes into picture. Web programs written without undergoing proper security audit, such as CGI forms on a UNIX host which accepts backticks (``) for processing in situations where only numbers are needed, are quite likely to be vulnerable to CGI abuse.

Internal Security

According to an unnamed source, there is a higher probability of security breaches originating from within the company than from an external force. Corporate executives often store sensitive data in their office computers without proper encryption. Emails too, remain plain text in their email clients. A jealous or abusive colleague with 24x7 access to the office premises may return at odd hours to peep into another staff's computer. Should the company have enforced a more sophisicated physical access list based on time and staffs' position, such cracking attempt can be prevented. Users who wish to protect sensitive information should turn to GnuPG, an opensource alternative to PGP from NAI.

Computer Viruses

In recent months, malicious computer viruses are spreading rapidly and causing damage to computers all around the world. By following a computer security bulletin board, you will notice many of these viruses are placed as attachments in emails clothed with an innocent outlook. To reduce the risks of transmission through this popular channel, email gateways should execute virus scanning to verify the email's integrity before any user can proceed to download it. If your MTA cannot accept virus scanning plug-ins, it's time to look around.

Firewalls, though unable to ensure 100% security, is highly important. It serves as the front layer of security. A layered security approach should be put in use to achieve a higher level of security.

"Firewalls are not important for old-economoy business..." - a friend

I beg to differ (no intent of offence to my friend), how do you define old economy business? Any business which has a private or public computer network should enforce security policies, audits, etc, to ensure the integrity of their data. Some say banks are old economy. It will be disastrous if they do not have firewalls as part of their information security enforcement.

Kelvin Koh, 22 Oct 2000.
Comments, thoughts, flames? Email me at kelvin@acks.org.

Related Stories: