Previous Table of Contents Next


Chapter 48
Selecting an Internet Firewall

Marcus J. Ranum

Internet security risks are, in reality, not that much different from other security problems that organizations face every day. It is the newness of the Internet that makes it seem more different and dangerous than anything else. In approaching Internet security, it should be considered as a fraction of the overall computer security requirements for the entire organization. Most important, computer security should be handled consistently throughout the enterprise. Without such an approach, a secure firewall may be protecting a wide-open network behind it. If the course of Internet security is uncertain, security should be based on comparable approaches for other vulnerable systems that have previously worked.

INTRODUCTION

Many organizations have or are about to have connections to the Internet, but they are alarmed at the risk of being broken into by hackers, industrial spies, or other electronic miscreants. The magnitude of this threat is difficult to assess in concrete terms. However, it is clear that not being connected to the Internet is a business risk as well, which may result in lost revenue, delays in time-to-market, or poor customer perception. As Internet connectivity becomes a common business infrastructure requirement like the FAX, more and more organizations will face these risks.

THE RISKS ASSOCIATED WITH INTERNET CONNECTIONS

Internet security risks are, in reality, not that much different from other security problems that organizations face every day. It is the newness of the Internet that makes it seem more different and dangerous than anything else. In approaching Internet security, it should be considered as a fraction of the overall computer security requirements for the entire organization. Most important, computer security should be handled consistently throughout the enterprise. Organizations are every bit as likely to be attacked through dial-up access, social engineering, dumpster diving, or PBX/toll fraud as they are over the Internet. It is unfortunate that organizations may invest a huge amount of money and effort in securing their Internet connection, but have unprotected modem pools without even passwords or dial-back, which allow access into the network behind the firewall. Management support and an architectural view of the organization are essential requirements to achieve a consistent security approach. Without a uniform approach, a secure firewall may be protecting a wide-open network behind it. If the course of Internet security is uncertain, security should be based on comparable approaches for other vulnerable systems that have previously worked.

Downtime

Probably the most expensive cost resulting from a break-in is downtime: system manager’s time, time-to-market, and clean-up costs. In some cases, public embarrassment may also be a significant factor. Before deciding on any actions that may affect the organization’s systems security, these questions should be asked:

  What needs protection?
  How likely is it that someone will want to break, steal, or alter the items needing protection?
  If they succeed, what will be the expense?

In some cases, the potential damage might be so high that no justification for Internet connectivity exists. Before reaching that conclusion, existing security practices should be examined. Frequently, organizations that have decided not to connect to the Internet permit dial-in access or have other lax security practices that are every bit as risky than a well-secured Internet connection.

Often, organizations with very restrictive firewalls or no formal Internet security policies have dial-out modems scattered around the network, as individuals who need Internet access simply obtain it through commercial Internet service providers. These links are potentially avenues of attack, like any other Internet links.

Sophistication of Attacks

Many managers do not understand the level of sophistication that attackers are showing. As a result, they either over- or underestimate the likelihood that their existing security (if they have any) will be compromised. In the recent past, attacks have been increasing in sophistication, including exploiting protocol level flaws and cryptographic flaws, and employing more clever social engineering tactics. A pattern has emerged wherein highly skilled attackers (called ueberhackers) develop tools for exploiting specific weaknesses, and eventually the tools find their way into the hands of less skilled or completely unskilled novices (called ankle biters) who can still employ them to penetrate sophisticated defenses. Attackers are also persistent and understand how to exploit the often tangled interconnections between corporate networks, modem pools, and other networks (such as X.25 networks or PC LAN software). In the last year, at least three cases were reported of firewalls being compromised from the inside by attackers who gained access to management networks through dial-in modems left unattended on users’ desktops.

What implications does this have for the would-be connected site? Simply having a firewall in place does not make an organization invulnerable to attack. Other routes of attack into the network must be secured as well, and constant security awareness is mandated. Organizations with extremely critical data should put it behind internal firewalls and should further compartmentalize their networks to make it harder for attackers to succeed once they are in. In some cases, if data is extremely sensitive or mission-critical systems exist, not having an Internet connection, or having it only on a physically isolated network that is separate from the corporate backbone, should be considered.

Likelihood of Attack

A number of organizations have concluded that security is not a problem for them because “nobody will bother to attack them.” However, when an attacker is choosing a target, he or she usually does not bother researching the target to see if they may be valuable; it is easier to smash in and take a look around. As a result, attacks seem to be random. Systems that have important data are ignored in favor of systems that simply catch the attacker’s eye. Recently, attackers that broke into a financial database system were observed to completely ignore the financial data (worth millions of dollars) in favor of exploiting a back-door connection to a local university’s computing center. The unpredictable nature of attacks makes it difficult to place a value on defenses. For example, a site with a very strong firewall and no important data might come under ferocious attack, and a different site with no security at all in front of mission critical systems may be completely ignored. Unless an organization’s data is unimportant and employees’ jobs are secure, it is foolish to assume that attackers will ignore any organization.


Previous Table of Contents Next

Copyright © CRC Press LLC