Fortifying the firewall

Obviously, the firewall can no longer stand alone against all nasty intrusions. The chances that a virus or other ill-intended probe will penetrate a company's firewall rises almost daily, especially when ports are opened to give people outside the physical perimeter access.

Not that most network executives can even define the perimeter any longer. The distinction between what's inside and outside the corporate realm has vanished. In its stead has come modified perimeter architectures, built using more advanced firewalls that follow tenets of a security model for today's realities (see story, "Time for new security model").

When network managers began deploying firewalls as security tools a decade ago, they could easily define the network perimeter. Most people who had access to corporate networks worked on desktop computers in the main office; external links to business partners were virtually nonexistent. A simple firewall-based demilitarized zone between the private and public network made sense. But today's practice of allowing access to corporate data to anyone who might need it - mobile workers, telecommuters, business partners, suppliers - from wherever they are over wired or wireless links turns that sensible decision into a foolish one.

To provide a high level of access, companies punch holes through the firewall barrier and hide data from the firewall's view by using technologies such as VPNs and encryption.

This cripples firewalls - as they were originally designed - and keeps them from protecting companies against attacks, high-tech vandalism, theft of data or other security breaches.

On the attack

Data from the Computer Security Institute (CSI) shows the number of security breaches, already high, has grown in the past year. CSI's 2002 Computer Crime and Security Survey, released in April, indicates that 90% of the 503 participating U.S. organizations detected computer security breaches within the previous 12 months, up from 85% in the previous year. Eighty percent of the organizations said they suffered financial losses because of computer breaches, up from 64% the year before.

About 75% of survey respondents said their Internet connection was a frequent point of attack, compared with 33% who cited their internal systems as such. Forty percent detected system penetration from the outside, 85% detected computer viruses and 70% of those attacked reported vandalism.

"Companies need to provide a lot of access to their partners, customers and employees today, and they're using technologies like Web services and extranets more frequently. All of this points to the fact that perimeter security by itself is no longer adequate," says Laura Koetzle, security analyst with Forrester Research.

"Businesses need to have firewalls, but there must be various layers of firewalls as well as clear policies that determine how these firewalls interact," Koetzle says. "Having nothing protecting the middle of the enterprise is a sure way to let someone come in and do maximum damage."

In a survey of 50 IT managers conducted by Forrester earlier this year, "openness of our network" was the second most common response given (after viruses) when managers were asked to name their biggest IT security concern.

On the defense

Firewall vendors such as Check Point Software, CyberGuard, Network Associates, Secure Computing and Symantec are trying to address the needs of increasingly open networks by bolstering firewall capabilities. For example, they are developing directory-based firewalls that issue access rights after a user has logged in and logical firewalls that separate groups within an organization. Other initiatives include:

• Designing firewalls to work more easily with intrusion-detection systems and antivirus software, or embedding those capabilities in firewalls.
• Offering firewall protection for equipment such as home office computers and wireless handheld devices.
• Providing firewalls that are embedded in components such as network cards, so individual devices on a network can be protected against internal and external threats.
• Offering filtering levels so firewalls can better determine the threat of specific messages or applications being sent.

Network executives taking advantage of new ways to design firewall-based perimeters are experiencing good results. The Mony Group, an insurance and financial services firm in New York, has installed mirrored firewalls to protect its perimeter. If one firewall fails, another stands in the way and ensures protection, says Don Hoffman, director of IT security.

"This makes us less vulnerable if we're attacked," Hoffman says. "It used to be there was a single point of failure." Still, Hoffman pressures firewall vendors to do a better job of getting fixes out when weaknesses in firewalls are exploited or when new threats emerge such as logic bombs or spam. "That's an underlying issue with security. We know a vulnerability exists, but we have to wait for the patches or upgrades," he says, adding, however, that vendors are improving. "They used to be a week behind the problems, and now they're two or three days behind." Despite growing sophistication, firewalls aren't enough, Hoffman says. Mony also uses VPN, IDS, authentication and other technologies to secure its corporate network. Plus, Mony is exploring whether internal firewalls would be useful in protecting particular departments and even individual devices.

Of course new firewall technology is only a partial solution. Policies must also be created. OSG Tap & Die, a tools manufacturer in Glendale Heights, Ill., uses Secure Computing's Sidwinder firewall with a built-in VPN to connect via the Internet with its parent company in Japan, offices in Europe, and to selectively provide data access to workers in the field.

"When a salesman working in a hotel room needs to get access, he can come in through the firewall using the client VPN and I [can verify] he's actually the salesman through authentication," says Mike McKenna, IS manager at OSG. However, McKenna is cautious about granting employee requests to transfer data to and from Web sites blocked by the firewall. "The Swiss cheese effect comes into play where you're creating holes in the firewall," he says. "We can't just make random changes in the firewall to accommodate all the requests."

New policies really come down to common sense, says Tom Warfield, systems administrator in charge of networking at government contractor AST in Lawton, Okla.

"We have a simple rule, if you're not using something, shut it off," he says. It might sound obvious, but "people tend to leave everything - desktop computers, laptops or other systems - turned on," and that invites trouble that the firewall can't always block.