Should staff swim naked on the Internet?

Should staff swim naked on the Internet?

Summary: Businesses should rethink perimeters, shed the firewall and allow people to "skinny dip" on the Internet, according to security and communications researcher, William Cheswick.

SHARE:

Businesses should rethink perimeters, shed the firewall and allow people to "skinny dip" on the Internet, according to security and communications researcher, William Cheswick.

William Cheswick, author of Firewalls and Internet Security – Repelling the Wily Hacker, told ZDNet.com.au at the AusCERT 2008 conference on the Gold Coast this week that business should stop wasting money on firewalls.

"Is it time to just get people from out behind the firewall and the perimeter and have them skinny dipping on the Internet? This is what I have been doing for the past 13 years now, but I think for certain parts of the company we should do that," he told ZDNet.com.au.

Cheswick, a distributed computing and communications researcher for telco AT&T, said that although firewalls are designed to prevent such services as BitTorrent from entering the organisation — due to the possibility of staff illegally downloading music and movie files — they do not work, and cost businesses money.

"[Removing] it would cut costs, and it'd make certain things work. For example, our company policy is that we don't support BitTorrent inside the company. What do you use BitTorrent for? Download movies? On the other hand, there is software that is getting downloaded and is only available on BitTorrent. Well, we in research need to be doing things with that, so maybe we should rethink our security policies," he said.

The way firewalls are configured may simply invite attacks on corporate networks, said IBRS security analyst, James Turner.

"The problem is that you keep opening up firewalls for exceptions, and the point that David Rice — author of Geekonomics — makes, is that when you put up a wall and go into a defensive stance, you're inviting attack. The same is true with a firewall — if you configure it so that only one port is open, guess where the attack is going to come through: that port," Turner told ZDNet.com.au.

Many software management applications require certain ports for different services on firewalls, such as the Web or email, to be open in order to function, simply expanding the number of attack vectors open to criminals, Turner added.

Another problem, according to Jason Edelstein, principal consultant for penetration testing firm Sense of Security, is that firewalls often don't scrutinise the type of traffic running through an open port.

"Some firewalls don't do inspections of what's occurring over a port. Just because Web traffic is running over port 80, it doesn't mean you can't tunnel other protocols through that port," he told ZDNet.com.au.

John Pirc, senior product manager for IBM's Internet Security Systems, told ZDNet.com.au that some IBM customers have removed firewalls and replaced them with intrusion protection systems (IPS).

"I still think there's a need for firewalls, but when you look at stuff like deep packet inspection, and when you start looking for security threats and vulnerabilities, and stuff that can look at the packets, which is what you can do with an IPS... I've seen instances where people have pulled out firewalls and put in IPS," he told ZDNet.com.au.

However, Pirc said that although security shouldn't limit staff doing their jobs, there has to be an awareness of the risks of introducing certain new applications to the business.

"When you think of BitTorrent, what is the liability to the company if someone is streaming in movies or other types of content? The company can be held liable for some of that stuff," he said.

Meanwhile, file sharing services are designed to subvert typical firewall defences, rendering them useless.

"A lot of these tools like BitTorrent are designed to subvert firewalls. They know users are behind a corporate firewall, so they become clever in terms of using known ports," said Sense of Security's Edelstein.

"When we've done analyses of logs, in some circumstances around 70 per cent of network traffic is being used for BitTorrent-type services," he added.

Firewalls are usually installed for a very good reason and are meant to defend against serious harm to the business, Edelstein added.

However, for all their faults, IBRS's Turner reckons it's too early to get rid of firewalls just yet.

"At the moment it's ridiculous to get rid of the firewall. If you're out skinny dipping on the Internet, then you better have access to a very good shower at the end of your swim. But absolutely it's the dream that we can swim as nature intended," he said.

Topics: IBM, Legal, Open Source, Security, AT&T

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Safety first. Security is a multi-layered beast

    This is hog wash.
    Hackers make a point of running automated hacking routines that scan ip-address' and ports. Fact is; F/W's stop an enormous amount of these hackers.
    anonymous
  • What a load of rubbish

    Mr Cheswick argument are based on a very naive approach to business.

    As for the writer referencing other people to support the case, did the writer just decide to include these or did Mr Cheswick actually make the association? If the first, then you may want to check that those individuals agree with the conclusion drawn by this selective assemblage of statements.
    anonymous
  • Nothings certain, but that doesnt mean its not needed

    Using this rationale, seeing that people die in cars all the time, we should then remove speed limits, seatbelts and airbags.

    Cheswick is entitled to his opinion (and it may be valid), but Zdnet, I had more faith that you would publish thoroughly researched material, not what 'appears' to be a 1/2 baked idea.

    If Cheswick has a valid point, then I would love to see more detail to back up his argument.
    anonymous
  • Many workarounds already

    Mate, there are already my workarounds anyways! Google Translate, email websites, secure proxies, and more.
    So this point: "they do not work, and cost businesses money" is a valid argument.
    anonymous