July 29, 2003 -- (WEB HOST INDUSTRY REVIEW) -- Internet security gurus agree the role of firewalls in the enterprise should be revised, with individual security processes taking the place of one size fits all solutions - a suggestion that goes against vendor marketing and the trend toward point solutions in the security industry, but plays along with attempts at transferring hacker know-how over to corporations.
The debate about the methods enterprises and service providers use in order to keep their virtual premises safe from intruders goes to the heart of security debate between hackers and business people. The business world would like for security solutions to be straightforward and ubiquitous. The firewall industry is fulfilling this need, offering products that address known vulnerabilities and deliver an upgrade path where a company can keep up with security upgrades by incrementally adding hardware and software to its virtual defenses.
The hacking community - the term that describes security professionals involved in testing network vulnerabilities as opposed to crackers, which are hackers turned white collar criminals - strongly disagrees with this approach. Security, especially Internet security, is an evolving and almost a living thing, they argue, so no product can be current enough to protect against known vulnerabilities. Hacker collectives have proven this point of view time and again, typically through the release of hacking tools like Back Orifice, which automates unauthorized access to vulnerable network components. Large vendors and appliances like firewalls are primary targets of such releases. This approach is beginning to gain traction in the networking community, with well-known security speakers speaking out against firewalls as only corporate security placebos and promoting how hackers can replace blind security product maintenance.
"You shouldn't buy firewalls to try and secure your host - in fact, you should probably just secure your host and avoid buying any firewalls at all, unless you need to log your administrative control," said Avi Freedman, Akamai's (akamai.com) chief architect.
Freedman consents this is not a new position for him, and he has been consistent in advocating against firewalls used as major security applications for close to five years. His view is not that radical in the security circles. Steve Bellovin, a well known security researcher with AT&T Labs, points to the second edition of his book "Firewalls," where he argues a similar point - that firewalls are useful only if used properly, and become dangerous if used as "magic pixie dust" which is supposed to solve all security problems.
"If your firewall is your sole security mechanism, and someone gets in by some other mechanism, you're in trouble," Bellovin writes. The next page of the book is dedicated to examples - malicious code arriving via viruses and floppy disks, disgruntled employees, buffer overflow attacks - and the list goes on.
So what would be the solution? The straight and narrow approach would be to throw more technology at the problem. Check Point Software (checkpoint.com), one of the largest firewall vendors in the world, addresses increasing security risks by adding more functionalities to its products - which now extend beyond firewalls into the VPN and intrusion detection arena.
"I think the firewall should be doing more - it is the first line of protection and whether it is deployed inside or outside of the LAN it should be more intelligent and more integrated to manage multiple applications," said Swepa Duseja, Check Point's product marketing manager.
And where giants like Check Point stop, start-ups pick up. For instance, in May IBM helped launch an outfit named 14 South to make sure firewalls and other security applications can be put on individual servers as opposed to being deployed at the border router. The rationale? Most attacks are originating from inside the company.
This is exactly the wrong approach, say experts like Freedman and Bellovin, since a people problem - which is what cracking really is - is being solved with technology.
The real problem with firewalls is the people who install and maintain them and their interaction with other security elements, says Freedman. Certified security specialists, essentially trained by vendors to work with products underlying their technologies, are often too narrow-minded and don't understand the big security picture.
"I am suggesting - unfortunately - that we take a bunch of security practitioners and educate them by giving them a bunch of machines and locking them in a basement for a couple of days as opposed to going the security certification route," said Freedman. "I know too many people doing security who can't lock down a box."
In other words, Freedman is suggesting having security professionals train and work like hackers so they could stop crackers. Makes sense - and fits the trend of the hacking community becoming more mainstream, with the merging of hacker collectives like L0pht Heavy Industries with security firms like @Stake (atstake.com) being a prime example of how hacker know-how is supposed to benefit the corporate world.
However, three years after @Stake tried to demonstrate by example that hacking is not a bad thing, active hackers say the security industry continues to roll on without amending its ways. It's hard to say if any security professionals are getting a real hacker training. "I can't tell you how many CISSPs I've met who are completely clueless with respect to genuine security. The same goes for MCSEs and related," wrote Jay Dyson of Treachery Unlimited in an e-mail exchange. Dyson goes by the handle 'Cancer Omega' when operating with a collective Attrition.org, and works as a security consultant - a hacker hired to thwart and track crackers.
Dyson, who has a day job, says the he got to develop real hacker expertise by sheer luck.
"I simply have the good fortune of having a boss who recognizes that just because I'm conversant with Black Hat tactics, technologies and techniques doesn't mean that *I* am a Blackhat," he wrote.
Sure, there are hacker conferences and seminars, but these events don't do much to get hackers more organized or, more importantly, to significantly educate corporate security personnel in hacking technologies. That's not necessarily a bad thing for security practitioners turned hackers - Dyson has his fair share of contract work - but a testament to the fact that the hacker skill set is still rare inside the network where it is needed the most.
