Microsoft: Firewalls are failing to keep out hackers

Firewalls aren't doing a good enough job of protecting corporate networks, according to a Microsoft security expert

Speaking in London on Monday at a technical briefing on the need for next generation firewalls, Microsoft security technology architect Fred Baumhardt outlined some of the gaps that traditional firewalls are leaving open.

"We are all bloody lucky that something hasn't obliterated IT on earth," said Baumhardt. "Firewalls are like retarded routers. They just look at the ports, sources and destinations they like. If a train comes from Gare du Nord [Paris] to Waterloo [London] via Eurostar you allow it to enter the country because you trust it. That's what firewalls currently do. They don't check to see if al-Quaeda is riding inside."

Ports allow certain types of Internet traffic to travel if they correspond with the correct port number. For example, HTTP runs on port 80 and is often regarded as a trusted port, and left open. In the past firewalls have often worked on this basis, without checking the content of traffic. But Baumhardt called for IT professionals to ensure they had better equipment.

"I don't care which vendor you get it from," he said. "I just want to see [next generation firewall] technology in front of your network."

Baumhardt was demonstrating Microsoft's Internet Security and Acceleration (ISA) Server 2004. He said that traditional firewalls were failing to scan Internet traffic deeply enough to detect malicious traffic.

"We trust traffic on ports that we think it should be on," said Baumhardt. "But when you do that you relay control to the security vendor. You need to understand the traffic you are trying to block."

Baumhardt gave the example of how many hackers use port 80 to enter a network because it is treated as trusted traffic. He added that it was also important to protect the network internally, not just at the perimeter.

"We don't place devices to protect from within the internal network. But if you don't put firewalls on chokepoints [critical areas in the network] you won't defend your internal network."

The latest version of ISA Server has the ability to run 1.9-gigabit throughput, said Baumhardt, and to scan port traffic at the application layer, which could lead to better transparency. He said it also offers VPN and port scanning technology.

But Baumhardt added that it was unwise to use firewalls without the support of other security technology: "Believe it or not, Microsoft is not the be-all and end-all of everything. We could be a platform for other things to run on. You buy ISA so that you can complement it with SurfControl or McAfee."