Should staff swim naked on the Internet?
Businesses should rethink perimeters, shed the firewall and allow people to "skinny dip" on the Internet, according to security and communications researcher, William Cheswick.
William Cheswick, author of Firewalls and Internet Security – Repelling the Wily Hacker, told ZDNet.com.au at the AusCERT 2008 conference on the Gold Coast this week that business should stop wasting money on firewalls.
"Is it time to just get people from out behind the firewall and the perimeter and have them skinny dipping on the Internet? This is what I have been doing for the past 13 years now, but I think for certain parts of the company we should do that," he told ZDNet.com.au.
Cheswick, a distributed computing and communications researcher for telco AT&T, said that although firewalls are designed to prevent such services as BitTorrent from entering the organisation — due to the possibility of staff illegally downloading music and movie files — they do not work, and cost businesses money.
"[Removing] it would cut costs, and it'd make certain things work. For example, our company policy is that we don't support BitTorrent inside the company. What do you use BitTorrent for? Download movies? On the other hand, there is software that is getting downloaded and is only available on BitTorrent. Well, we in research need to be doing things with that, so maybe we should rethink our security policies," he said.
The way firewalls are configured may simply invite attacks on corporate networks, said IBRS security analyst, James Turner.
"The problem is that you keep opening up firewalls for exceptions, and the point that David Rice — author of Geekonomics — makes, is that when you put up a wall and go into a defensive stance, you're inviting attack. The same is true with a firewall — if you configure it so that only one port is open, guess where the attack is going to come through: that port," Turner told ZDNet.com.au.
Many software management applications require certain ports for different services on firewalls, such as the Web or email, to be open in order to function, simply expanding the number of attack vectors open to criminals, Turner added.
Another problem, according to Jason Edelstein, principal consultant for penetration testing firm Sense of Security, is that firewalls often don't scrutinise the type of traffic running through an open port.
"Some firewalls don't do inspections of what's occurring over a port. Just because Web traffic is running over port 80, it doesn't mean you can't tunnel other protocols through that port," he told ZDNet.com.au.
John Pirc, senior product manager for IBM's Internet Security Systems, told ZDNet.com.au that some IBM customers have removed firewalls and replaced them with intrusion protection systems (IPS).
"I still think there's a need for firewalls, but when you look at stuff like deep packet inspection, and when you start looking for security threats and vulnerabilities, and stuff that can look at the packets, which is what you can do with an IPS... I've seen instances where people have pulled out firewalls and put in IPS," he told ZDNet.com.au.
However, Pirc said that although security shouldn't limit staff doing their jobs, there has to be an awareness of the risks of introducing certain new applications to the business.
"When you think of BitTorrent, what is the liability to the company if someone is streaming in movies or other types of content? The company can be held liable for some of that stuff," he said.
Meanwhile, file sharing services are designed to subvert typical firewall defences, rendering them useless.
"A lot of these tools like BitTorrent are designed to subvert firewalls. They know users are behind a corporate firewall, so they become clever in terms of using known ports," said Sense of Security's Edelstein.
"When we've done analyses of logs, in some circumstances around 70 per cent of network traffic is being used for BitTorrent-type services," he added.
Firewalls are usually installed for a very good reason and are meant to defend against serious harm to the business, Edelstein added.
However, for all their faults, IBRS's Turner reckons it's too early to get rid of firewalls just yet.
"At the moment it's ridiculous to get rid of the firewall. If you're out skinny dipping on the Internet, then you better have access to a very good shower at the end of your swim. But absolutely it's the dream that we can swim as nature intended," he said.