Hosing down firewall hype

"The idea behind firewalls doesn't work anymore," 3Com's global vice-president Pat Rudolph, said in an interview with your writer.

"The idea behind firewalls is that people inside the network are trusted and that people outside the network are potentially malicious," he continued.

"The problem is, if I take my laptop home and get infected on my home network because my kid's doing something he shouldn't be, I can then walk my laptop right past my firewall, and plug it into the corporate network. I can then infect the network."

Rudolph also pointed out firewalls worked by leaving network ports open.

"Like port 80, which is Web traffic. You have to leave port 80 open. The problem is that hackers know this, and they can put in malicious attacks through port 80," he said.

Rudolph's comments are correct. A number of common security threats aren't going to be stopped by your average firewall.

This is exactly why the current generation of multipurpose (spam/anti-virus/anti-spyware, etc) security hardware is enjoying high levels of popularity. For example, real estate king LJ Hooker is currently installing such devices throughout its Australia-wide network.

However, while firewalls are not enough on their own, they remain integral to network defence strategies.

An executive from wireless security vendor AirDefense told a Sydney conference yesterday that firewalls should always be used, especially for wireless devices.

As he demonstrated a technique that could take control of a whole room of laptops within seconds, the company's director of technical solutions Spencer Parker said even the humble firewall bundled with Windows XP could stop a lot of threats targeted at individual PCs.

The lesson to be learnt here is that even though firewalls are not sufficient security on their own, they're still going to be around for a long time in one form or another.

As for Rudolph himself, he can probably afford to be complacent even if his kids are tinkering with his work machine.

"I have a team of technical specialists around the world and we all tend to operate on Macintosh," he said. "Without offending Microsoft, I like my computer to be stable."

Like Windows XP, Mac OS X comes with a firewall built in, but the Apple operating system has a much better history when it comes to security problems.

What do you think? Are networks still safe behind firewalls or can hackers bypass them at will? Send your thoughts to renai.lemay@zdnet.com.au.

For more views from the trenches of Australian telecommunications, visit my new blog:
Full Duplex
http://www.zdnet.com.au/blogs/fullduplex

• Related stories

• Alerts

Add your opinion

Just use IPcop ! Anonymous -- 02/03/06 (in reply to #120130065)

I use it at job and network home since two years. Very well conceived.

* Provide a stable Linux Firewall Distribution.
* Provide a secure Linux Firewall Distribution.
* Provide an opensourced Linux Firewall Distribution.
* Provide a highly configurable Linux Firewall Distribution.
* Provide an easily maintained Linux Firewall Distribution.
* Provide an easily configured Linux Firewall Distribution.
* Provide reliable Support to the IPCop Linux user base.
* Provide an enjoyable environment for the Public to discuss and request assistance.
* Provide stable, secure, and easy to implement upgrades/patches for IPCop Linux.
* Develop an appreciation for both the Linux and Opensource movements in our user base.
* Develop a long lasting relationship with our userbase.
* Strive to adapt IPCop to meet the needs of the Internet of Tomorrow.
* Further develop the Linux Knowledge base of all Project Members and Users.

• Reply to comment
• Report offensive content

Just use "English" Anonymous -- 20/03/06 (in reply to #120130066)

yeah...

• Reply to comment
• Report offensive content

Another "I have no clue post" Craig S Wright -- 03/03/06

The issue is -
1 A "commercial firewall" is NOT the firewall. The filtering infrastructure including the screened routers etc IS.
2 Clueless vendors spreading FUD should be held liable for the damage they do to the industry.
3 Journalists should start acting more resonsiblely and not mis-quote as often as they do.

Point 3 - A professional journalist is just that. They are not just reporters and have a responsibility to check the facts.

FUD is not truth it is JUST a scare tactic designed to sell services.

"The idea behind firewalls is that people inside the network are trusted and that people outside the network are potentially malicious" Is wrong. The idea of Firewalls is zoning and segmentation. This is the same now as it always was. The lact of understanding of risk is the same as it always was.

"Like port 80, which is Web traffic. You have to leave port 80 open. The problem is that hackers know this, and they can put in malicious attacks through port 80," he said.

Is just a ***clueless*** comment designed to spread FUD and sell vendor product at any cost - including the truth.

Leaving only port 80 for web DOES improve things. It means that you have to concentrate on securing TCP 80 - 1 port. Otherwise there are 65 thousand other ports to secure!

It is FAR easier to concentrate on a single services than 65k of them.

Craig

FUD - Fear Uncertainty and Doubt

• Reply to comment
• Reply to story
• Report offensive content

Hosing down the firewall hype Christian Heinrich -- 03/03/06

The view expressed by Pat Rudolph (3Com) has been well known by the security community since 1990 and possibly earlier, when Bill Cheswick (AT&T Bell Laboratories) describes the gateway as "a sort of crunchy shell around a soft, chewy center" in his paper "The Design of a Secure Internet Gateway".

Firewalls can only provide "limited" access control due to the weakness inherit in TCP/IP and how it processes network packets. For example, it is possible for a firewall to permit a connection between two IP addresses by simply injecting traffic to appear that an existing connection had commenced prior to the firewall registering the "start" of the connection.

While Pat Rudolph (3Com) is advocating a "defense in depth" approach to network security, a firewall can still serve a significant role above other equally important controls, such as virus protection. For example, it is possible to identify an internal worm outbreak by comparing the connection activity logged by the firewall to the known network behavior of a worm.

The implementation of Fortinet by LJ Hooker may experience the same issue expressed by Pat Rudolph (3Com) for Firewalls as the protection offered by Fortinet is not replicated on other networks outside of LJ Hooker, such as when a laptop connects to a home network hence may not be a "defense in depth" approach advocated by Pat Rudolph (3Com). By this I mean that LJ Hooker may not allow laptops to be connected to other networks, such as a home network and hence may be protected by Fortinet.

Attacks on TCP/80 ultimately depend on the web server listening on this port. It is possible to reduce the likelihood of an attack against a web server by inspecting the contents of the Application Layer, but this is still "limited" due to the level of understanding of the HTTP protocol by the firewall and the weakness inherit in protocols below the Application Layer. TCP/80 is a well known port number due its assignment by the Internet Assigned Number Authority (IANA).

I will omit providing further comment on Pat Rudolph's statement related to family members accessing his laptop at home and his belief in the security of OS X compared to other Operating Systems as this was not part of your question.

• Reply to comment
• Reply to story
• Report offensive content

Security threaths Anonymous -- 07/03/06

So are you claimining that a commercial firewall good enough to stop all security flaws and malicious attacks ? I pretty astonished with your comment as most of worms and exploits utilize the public services are running - http is just one of those and if we had managed to protect our networks with firewall we would have never seen Nimda,RedCode,Slammer etc... So I would suggest you to read about Intrusion Prevention before making such an assertive comment.

• Reply to comment
• Reply to story
• Report offensive content

What author? Anonymous -- 07/03/06 (in reply to #120130341)

Whose comment are you referring too? i.e. the IPCop one, Craig S Wright, Christian Heinrich or T.D?

• Reply to comment
• Report offensive content

reply Anonymous -- 14/03/06 (in reply to #120130455)

Christian Heinrich

• Reply to comment
• Report offensive content

Reply from Christian Heinrich Christian Heinrich -- 17/03/06 (in reply to #120130341)

Anonymous,

I wish to thank you for indicating that your comment was in response and I would also like to thank the person who requested the clarification of the author.

I did *not* state at any time that “… a commercial firewall (is) good enough to stop all security flaws and malicious attacks”, specifically I stated that a firewall, be it either proprietary, open source or anything in-between :-), is “… a sort of crunchy shell around a soft, chewy center”, “… provide(s) limited access control”, etc.

Nor did I state that a firewall would protect a network from “Nimda, RedCode, Slammer” or any other worm, specifically I stated that “… it is possible to *identify* an internal worm outbreak by comparing the connection activity logged by the firewall to the known network behavior of a worm” be it “Nimda, RedCode, Slammer” or any other worm.

By “… possible to *identify*” I was referring to requiring the ‘additional’ information from the Application Layer, which may not have been logged by the firewall but can be obtained in ‘real-time’ by network packet capture.

I did acknowledge that “most worm and exploits utilize the public services”, specifically I stated that “Attacks on TCP/80 ultimately depend on the web server listening on this port”.

Network Intrusion Prevention System (IPS) could form part of a ‘defense in depth’ approach. However, at the most recent RUXCON [1], I presented a series of related libraries which, amongst other functions, will mimic the network behavior of these worms and trigger the alerts of these worms. These libraries can also directly create database records associated with worms, without the IPS ever seeing any network traffic.

By exploiting the principal of an IPS it is possible to create an alert that the IPS database host is infected with “Nimda, RedCode, Slammer” or any other worm and have the IPS “prevent” its own database communicating on the network.

Therefore, IPS is not the silver bullet that you believe will solve the problem with “Nimda, RedCode, Slammer” or any other worm.

With reference to “RedCode” in your comments, are you referring to “Code Red”?

If you have any further comments or require additional clarification can you please contact me via e-mail at [christian.heinrich@secureagility.com] in addition to any further postings on ZDNet?

REFERENCES
[1] http://www.ruxcon.org.au/2005-presentations.shtml#19

• Reply to comment
• Report offensive content

Misleading T.D. -- 07/03/06

Narrow interpretation ... this is a complex topic and Mr. 3Com needs to get a handle on some nuance here. Firewalls cannot save you but no security technology can -- and that's because security truly never has been, nor will be, about the tools and gear themselves. This could have been reported a little more clearly; when your source does not introduce nuance, good journalists should do it instead.

• Reply to comment
• Reply to story
• Report offensive content

Security via product/technology Jack G. Jessen -- 21/03/06

The primary problem here is that the vendors as per usual are trying to sell product. Who can blame them? After all, they have children and shareholders to feed :-)

The secondary problem is one of voice. They seek and often get a platform from which to spruik their perspective.

We (ICT and security) professionals understand that security is processes and systems; but, we need to seek the same platforms to balance the vendor speak.

Human nature is to look for the magic pill rather than doing the homework and hard yards required for mitigating threats appropriately in your particular backyard.

Regards to all./

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials