Until recently, when I imagined a firewall, I pictured, well ... a wall, something essentially impassible. That's not to say that I thought of firewalls as the be-all and end-all of network security. There are usually plenty of opportunities to go over, under or around a wall. And while it's not technically im possible, breaking through a wall usually isn't feasible. For those reasons, I thought that firewalls provided almost "bulletproof" protection against a limitedbut significantclass of attacks.
That changed on July 26. As I sat in a crowded conference room in Las Vegas, I watched a group of hackers waltz through the most popular firewall on the Internetnot once or twice, but more than 10 times during a two-and-a-half-hour presentation. Moreover, most of the attacks demonstrated could be modified and used against almost any firewall product currently available. I'd never seen a group of system administrators more impressedand unnerved.
The demonstration touched on a wide range of vulnerabilities. Most firewalls are remotely administered and use cryptographic techniques to identify those who hold authorized access. So, a small error in an authentication protocol may be enough to allow an attacker to impersonate an administrator.
Firewalls have a limited ability to examine incoming traffic. An attack may be split up among several different data packets, for example, or an improperly implemented virtual private network may prevent the firewall from looking at key data.
What can you do? First, rundon't walkto your machine and harden your customers' firewalls against these attacks. Consider the following safeguards:
Use the strongest authentication protocol available, preferably a Kerberos or PKI-based solution. If your firewall doesn't support strong authentication, get a new firewall. If that isn't possible, consider disabling remote ad ministration, whether it's a hassle or not.
Be absolutely certain your firewall's antispoofing protections are configured properly; forged source addresses for network traffic are present in many attacks. If your firewall doesn't have an antispoofing mechanism, get a new firewall.
Have your firewall enforce the most restrictive access rules your organization can handle. Use a default "deny all" rule, allowing only those connections you explicitly designate. Never use a rule that allows traffic from "any source" or to "any destination." Deny access to broadcast and multicast addresses.
Although those steps can reduce risks and protect your customers' sites, no firewall will ever be bulletproof. Don't trust a firewall to keep out attackersuse multiple lines of defense. Consider using more than one firewall from different vendors. Install an intrusion-detection system, and harden every host. Security must be built throughout your customers' networks, not just at the perimeter.
David Raikow is a contributing editor to Sm@rt Partner. Comments can be sent to firstname.lastname@example.org.