Firewalls a distraction says security researcher

A preoccupation with firewalls for information security is dangerous because it can divert attention and resources away from locking systems down, according to a visiting security researcher.

Computer security researcher at the San Diego Supercomputing Centre (SDSC), Abe Singer said companies can spend 90 percent of their security efforts on firewalls and not much of anything else.

"I'm not saying firewalls are completely irrelevant, but how much effort do you spend on security?" Singer asked. "Do security at the host, not just the perimeter. You should be worried about what users are doing, because if an attacker is going through the perimeter [without secure hosts] then it's game over."

In Australia to speak at the Australian Unix and open systems user group (AUUG) security seminars this month, Singer prides himself on the claim that the SDSC has gone four years without a root-level intrusion to its systems - without using a firewall. He believes this is as good as an organization relying on a firewall.

"At the SDSC we don't use a firewall, it's not feasible," he said. "Since we have to secure hosts individually if we had a firewall it would be so open it would be useless."

Singer said there is a perception that a firewall is a must-have. He cited Visa's server requirements for online merchants which stated they must have a firewall, but did not specify any configuration details.

"Too much of the security budget is being spent on firewalls which also get too much attention [and] it's also 'cool' to have a new firewall to play with," he said, adding that other appliances like intrusion detection and prevention systems are an extension of the same idea.

"People are attracted to the idea that security can be bought [and] it's hard to differentiate between marketing hype and reality," he said. "We have a known 'good' config and when we find something is bad it's consistently fixed."

Singer is adamant that intrusion will not be stopped by a firewall and attackers have used Trojan SSH (secure shell) clients to steal usernames and passwords.

Other practices Singer recommends include not running services you don't need, for example, services that are only required internally don't need to be external.

"You really need to think through your processes [and] relying on a firewall means you're probably doing security wrong," he said. "Surveys have shown that 60 percent of security breaches are internal but 70 percent of people are worried about hackers on the outside. Internal breaches are worse, because someone has a level of access and knows where the assets are. If an attacker was really looking at compromising a company's assets he or she would get a job in the mail room."

More about: AUUG, Visa

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/19/avg-anti-virus-free-edition/

AVG Anti-Virus Free Edition

Note: This review covers version 8.5 of the software. This software is now in version 9.0. Antivirus program AVG 8.5 Free offers solid features and ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia