I was sitting in an undistinguished meeting room in the middle of nowhere, talking about leaking networks. Well, to be more precise, I was talking to Bill Cheswick, and we were at the Foxwoods casino in the middle of the Pequot Indian Reservation, where the CyberCrime 2003 conference is held. This actually is in the middle of nowhere, otherwise known as "Connecticut." A look outside the Foxwoods' windows would convince you that glaciers would arrive in an hour or two and wipe out all forms of life.
Cheswick was talking about network leaks. He showed me a diagram that looked a lot like the diagrams fireworks companies use to show you how next year's Bastille Day celebration will turn out. There were lines, starbursts, and more lines. Every so often, you'd see a line that went on for a long stretch, then a change of colors, and more starbursts. "That's a leak," Cheswick explained.
Cheswick, who helped form Lucent Technologies Inc. spin-off Lumeta Corp. (http://research.lumeta.com) has figured out how to find most unexpected and unauthorized connections to the Internet from intranets. He points out that such connections, which usually bypass firewalls and probably other security provisions as well, can cause grave damage to a company's enterprise network.
What is such a leak? It's an Internet connection that uses a path other than the one officially blessed by the IT department. The leak may be a result of a misconfigured router, a dual-homed server without adequate security, or an intentional leak created by an administrator who just wanted access to his workstation from home. Leaks create a pathway between the public Internet and the enterprise that doesn't include the safeguards most enterprises require.
What this means is that bad things such as worms can happen more easily. You might think that your firewall will keep such problems at bay, but if you have a means of Internet access that bypasses your firewall, you'd be wrong.
So what are the chances that your network is vulnerable? "All intranets are out of control," Cheswick says. It's his contention that virtually any organization network, regardless of size, has network leaks of some type, and his tests have apparently upheld this belief.
The problem is that you can't necessarily do much about finding and sealing these leaks without talking to Cheswick and his band of network leak detectors. Fortunately, he's working on releasing his expertise in the form of a tool that you can run on your network yourself.
In the meantime, there are a few things you can do to minimize leaks. The most obvious is to inspect the routing tables of your organization's routers. If there's access to the outside world that the router knows about, it will appear there. The second is to redouble your effort to find people who have created connections from their personal workstations to the outside world -- such as the aforementioned network admin who creates his own connection to the workstation to avoid coming in to address late-night pages.
And, of course, there's always training: Not every network administrator knows what a leak is or why it's a problem. Maybe telling them about it would help.