[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Human errors leave systems vulnerable, not faulty firewalls
From:       mea culpa <jericho () dimensional ! com>
Date:       1998-09-25 1:36:59
[Download RAW message or body]

http://cnn.com/TECH/computing/9809/11/firewall.idg/index.html


Human errors leave systems vulnerable, not faulty firewalls
September 11, 1998
Web posted at 4:15 PM EDT
by Gary H. Anthes

(IDG) -- The leading Internet firewalls are a little like today's popular
automobiles: Although there are many differences among them, most modern
cars can get you from Point A to Point B reliably, safely and efficiently. 
Crashes and other failures are most likely due to user error, as they are
for firewalls. 

Indeed, a particular firewall may be better able than others to meet a
given user's unique needs, and experts say it pays to compare features. 

But they say it is more important how you set up and maintain a firewall —
and how carefully you craft the security policies it's there to enforce —
than which product you choose. 

That advice was borne out by a recent exercise conducted by Computerworld
and Federal Computer Week in which computer security experts, armed with
sophisticated hacking tools, repeatedly attacked four of the leading
network firewalls. Each product performed pretty much as advertised, and
all protected internal systems from penetration. 

However, the firewalls didn't perform perfectly, either because of
inherent flaws in the firewalls, flaws in the underlying operating system
or suboptimum configuration by the user. One of the firewalls was knocked
out by a denial-of-service attack. And each of the three attack teams
gleaned a lot of information about systems behind the firewalls,
information better kept hidden. 

The denial-of-service attack, launched by Security Design International,
Inc. using a freeware attack tool called Targa, brought down one of the
firewalls, effectively stifling all incoming and outgoing traffic until
the computer was rebooted.  Another firewall withstood the Targa attack
because it had the very latest NT security patches applied, says Bob
Stratton, a vice president at the Falls Church, Va.-based company. Time
and logistics prevented the team from launching Targa at the remaining two
firewalls.  A network outage brought on by a denial-of-service attack may
be more costly to a company than a theft of information, experts say. "If
you're going to use technology that forces all network traffic through a
choke point — and for good reason — you'd better make sure it stays up in
the face of adversity,"  Stratton says. 

The attack teams also were able to learn more about systems behind the
firewall than a firewall and its administrator should allow in the
interests of security. For example, the Ernst & Young LLP team was able to
learn the identities of the LAN server behind the firewall and various
services running on it.  "Knowing that [Microsoft] Exchange was running
there, we had the potential to further exploit the box by knowing certain
Exchange vulnerabilities," says Eric Schultze, a senior manager in Ernst &
Young's security practice. 

Ernst & Young also was able to determine the address of the internal
network, the status of various NT ports and other information. The ability
to get this information is due in part to security weaknesses in NT but
could have been blocked by the firewalls, Schultze says. 

The Deloitte & Touche team learned the identities of the makers of
internal server software, hardware and two of the firewall vendors. That
information should have been hidden, says Fred Rica, a partner and attack
team member.  "You gather bits and pieces of information that by
themselves seem innocuous, and all of a sudden you can build a picture of
what this thing looks like," Rica says. "The more information you have,
the higher the likelihood that eventually you'll be successful." 

"Most of the top firewalls offer a comparable level of security," says
George Kurtz, a senior manager at Ernst & Young. "It's a function of how
well they are implemented." He called firewall certification programs by
test labs "baloney" because they can't address how users configure and
maintain the products. 

Rica says firewall configuration — in which users specify which network
services will be permitted and which blocked — must be dictated by
corporate security policies. And those policies should be driven by
business objectives. "What is the company trying to do on the Internet?
Electronic commerce? Web hosting? Just E-mail?"  he asks. He advises a
conservative approach in which the firewall denies all services except
those explicitly turned on by the customer, rather than one in which
anything goes except services explicitly blocked. 

A simplistic reliance on checklists of features may lead buyers to omit a
comprehensive, pre-installation analysis of risks, Stratton says. "I have
a concern whether the public is being served by the commodity marketing of
this kind of product," he says. "People say, 'We need a firewall,' when
what they really mean is, 'We need security against network threats.' They
are just buying a product and installing it, and I'm not convinced it's
better than nothing in that case." 

False security? 

Indeed, a firewall may confer a false sense of security by causing users
to overlook flaws in the underlying operating system, particularly Windows
NT, Stratton says.  "NT has a pretty bad track record, and a terrible
track record in terms of staying up," he says. 

The denial-of-service attack succeeded because of a flaw in NT that might
have been fixed had the user applied the latest Microsoft patches. In
addition, some vendors include their own versions of NT networking code in
their firewall software in order to address NT's security weaknesses. 

Stratton says Unix, the original platform for most of the major firewall
products, is at present better than NT from a security point of view.
"Just because you have a corporate policy for NT on the desktop doesn't
mean you should have it on your firewall," he says. 

Adds Schultze, "When some of the Unix vendors ported their firewalls to
NT, the feature set was there, but it was residing on top of an operating
system that hadn't been hardened." Or, even if it had been fortified
against attacks from the outside, it was left vulnerable to insiders'
hacks, he says. 

Ernst & Young offers a list of 10 things users should do to make NT
firewalls more secure. 

A firewall may also confer a false sense of security by not safeguarding
against the worst threat, says Ira Winkler, president of Information
Security Advisers Group in Severna Park, Md., and a consultant to the
Computerworld/Federal Computer Week firewall exercise.  "Firewalls can
keep outsiders out and, to a certain extent, keep users from doing stupid
things," he says.  "The major problem is — and always will be — insiders
abusing the system." 

Disgruntled ex-employees might delight in bringing down the networks of
their former employers via a denial-of-service attack, Winkler adds.
"Firewalls aren't just meant to keep attackers out, they are meant to keep
a network up and running." 

Attend to the basics, such as applying vendors' software patches to fix
security vulnerabilities, Winkler advises.  "When a new vulnerability is
found, it's critical to install the latest security patch on your
firewall," he says. "But most administrators do not even know what a
security patch is." 

Rica advises clients to use the same kinds of scanning tools he used in
the attack to find vulnerabilities in their own systems. "We advise
scanning from the outside and from the inside network, and scanning and
analyzing the underlying operating system the firewall sits on," he says. 

Winkler acknowledges that configuring a firewall is a balancing act. "The
perfect firewall is a wire cutter,"  he says. "But a firewall is intended
to provide functionality as well as security. The more functionality you
provide, the more vulnerability you introduce." 


-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]


[prev in list] [next in list] [prev in thread] [next in thread]