Companies overlook firewall security

Studies reveal a worrying lack of proper firewall security, and experts warn about the dangers of lax enterprise security practices.

The basic firewall appears to be a much-overlooked security measure.

A recent survey commissioned by McAfee of 1,000 small and midsize businesses (SMBs) in Hong Kong, found a high 86 percent of respondent organizations did not have a firewall in place. A little over half, or 56 percent, did not consider having a firewall "necessary".

This, in spite of a firewall being "considered basic security technology", said Vu Nguyen, McAfee's research labs field research engineer, in an e-mail interview.

Furthermore, "some administrators may install a firewall but did not have it optimally configured, meaning they still end up allowing malware to penetrate their systems", said Nguyen.

Security is a principle that needs to be approached holistically. "Your defense is only as strong as your weakest link. Each piece of security software has a specific function," said Nguyen.

"Having a firewall without a virus scanner would just leave the system open to certain threats and as much risks as having a virus scanner without a firewall. Both products do not replace each other but rather, complement each other."

Commenting on a recent report that U.K. security researcher David Litchfield found 500,000 exposed database servers unsecured by a firewall online, Ooi Szu-Khiam, Symantec's principal technical product manager for Asia-Pacific and Japan, highlighted possible reasons for the lax security practices.

Ooi said: "Firewalling will lengthen the testing and quality assurance cycles, making the applications more difficult and costly to test. IT budgets are also constantly being challenged.

"Firewalling also increases the system's design complexity, and IT administrators will try to avoid this--the higher the complexity of the system, the more difficult it will be to debug when problems arise."

A recent study conducted by Symantec revealed other potential security risks faced by companies in Singapore. The study found that "companies are facing an increased security risk from multiple mobile endpoints", Ooi said.

Mobility poses increased threats as employees "constantly plug in and out of corporate networks", introducing new security intrusion points, he explained.