Databus Issue: 2006 4 10/17/2006
A Firewall is Not a Device
Matt Woods Network Administrator
PDF
The second most targeted industry for cyber attacks is education. Surprised? In fact, according to Symantec Corporation, the top five most likely victims of a cyber attack are financial, education, small business, accounting and government institutions.
Since K-12 school districts are both “education” and state “government,” one could say that K-12 organizations are particularly at risk in terms of cyber assault. But fear not, we protect our networks with a firewall! Right?
Can you point to a device, an appliance, or a hardened server sitting on your network and say, “That’s my firewall. That’s how I protect my network?” If you can, then you might be overlooking aspects of a complete security philosophy. As an example, when someone asks where my “firewall” is, I show them a binder over my desk labeled “Network Security Policies.” The point is that a firewall is actually a set of policies. Who can access what, from where, and when? The appliance attached to the network, and generally referred to as a firewall, is just one element of a cohesive strategy used to implement those policies. Other elements of your security infrastructure will include both technological and biological components. We will get to those next time.
For the moment, we will go back to that device connected between your network and the outside world. A minute ago, you might have called it your firewall. I like to call it the “Perimeter Protection Device” (PPD). Security at this level is obviously important when you consider the facts. With 1,200 to 1,500 sites victim of DOS (Denial Of Service, http://en.wikipedia.org/wiki/Denial-of-service_attack) attacks every day, 1,500 to 2,000 new viruses, trojans and worms introduced each month, and over 2,000 known vulnerabilities to major operating systems, we can certainly see that protecting the perimeter of our network is crucial (Symantec, 2005).
Below is a simple test. You will not need pen and paper. Just answer the questions as you go along. Each question requires a simple ‘Yes’ or ‘No’ response.
Does your Perimeter Protection Device (PPD):
1. Provide DNS services to your network or the outside world?
2. Host one or more web pages?
3. Run an SMTP (email) service?
4. Provide content or virus filtering?
5. Run Windows, NetWare or Linux as its operating system?
6. Allow access to hosts on your internal network (other than those in an isolated DMZ network? (For DMZ definition, see: http://en.wikipedia.org/wiki/Demilitarized_zone_ %28computing%29)
If you answered ‘Yes’ to ANY of the above questions, then your PPD is actually putting your network at risk. Why? DNS, HTTP and SMTP are the three most exploited protocols on the web. By making these protocols accessible on your PPD, you are opening up your Perimeter Security Device to all of these exploits and attacks.
Likewise, content control and virus scanning on the PPD means that a thirdparty engine (virus scanning or content control) is also running on the PPD. These engines require ability to receive vendor updates, write logs and quarantine information which means that they have access to the internals of the PPD operating system. In addition, the “job” of these engines is to pass data along certain ports. Each of these ports become a potential pathway by which to access or exploit your network.
Perimeter Protection Devices based on popular operating systems such as Windows, NetWare and even Linux can easily become victims of exploits written for those operating systems. While there are ways to “harden” operating systems, it is virtually impossible to eliminate fundamental risks at the kernel level. Hardening of Linux too, while possible, should only be attempted by experts with plenty of time to devote to compiling custom kernels and modules.
A DMZ network provides an intermediate layer of protection between your internal network and the external world of the Internet. Any service available to the outside world should reside in your DMZ. We have all been asked or tempted to “poke a hole” in the “firewall” to give access to that cute teacher website hosted on a school-based server.
However, this quick fix creates a pathway from the Internet to one internal server and from there to the rest of your network.
OK. Perhaps that first test was a little hard. See how you do on this one.
Do you (or someone in your organization):
1. Regularly (at least once a week) review the logs of your PPD?
2. Know the statistics of your PPD packets transfer rates, block packet rates, processor and link utilization?
3. Have policies and procedures in place to deal with perimeter security breeches and attempts?
4. Know how to report “cyber incidents” to local enforcement, the FTC and FBI and have you ever reported an incident in the past?
If you answered ‘No’ to ANY of these questions, then you are likely too reliant on the technology of your PPD and forgetting that these systems need to be monitored and managed. We are all too busy everyday to deal with things that are not a problem. We get complacent. But, if you wait until there is a problem, or a suspected problem, it will be too late to answer these questions.
I often say that “my job description is the only one in the district that includes the word “paranoid.” Just because I am paranoid does not mean that they are not out to get me. For proof, just look at my PPD logs. In an average day our PPD will record (and block, thank goodness) over 250,000 attempts to access our network. That is a quarter-million hits per day or 15 million times per month that someone, maliciously or innocently, knocks on our door wanting access to something that is prohibited. I know this because I review our PPD logs regularly. This information helps to reinforce what I consider to be a healthy level of paranoia, demonstrate to executive management the importance of continued investment in this area, and allows me to track patterns of attack types, source addresses and generally just know what people are trying to get at and how.
Have you ever heard of “baselining”? This is the process of measuring a system when there is no problem so that you can more easily recognize “when something is wrong.” For instance, by knowing what the average link and processor utilization is on my PPD, it is easy to see at a glance when activity is unusually high. This might mean that a DOS attack in under way, a new worm is spreading across the web or that my ISP is having a problem. In any event, I have a simple litmus test I can use to see if things seem normal. The same is true of packet forward and block rates. As mentioned above, my PPD records an average of 250,000 blocks per day. If I were to look at the statistics and see that 300,000 packets had already been blocked by noon then I would instantly know that something is not right.
I cannot overstate the importance of having a plan for dealing with a crisis. You cannot develop an effective plan in real time and under pressure such as during a network intrusion event. This is why it is important to document your policies and procedures for dealing with intruders before you have one. As noted by the Cyber Tools On-Line Search for Evidence (CTOSE) project, your goal is to “identify, secure, integrate and preserve electronic evidence” while protecting the resources inside your network. You cannot determine how to do this on the fly. You will need a plan.
Your network has been attacked. Your users have been victims of cyber crime and phishing (http://en.wikipedia.org/wiki/ Phishing). You receive e-mail that is in violation of the ‘Can SPAM Act’ of 2003. Have you reported these incidents? If not, why? These are crimes and violations of federal law. If we do nothing about it, how can we ever hope to stop those that make the Internet a dangerous place?
A firewall is not a device, it is a philosophy. Protecting the perimeter of your network is a key step towards securing your organization. However, there is more to implementing a firewall than just plugging in an appliance. You also need to document, plan, be informed, be prepared and be just a little bit paranoid.
