By Rodney Gedda
07 July 2005
A preoccupation with firewalls is diverting attention and resources
away from the more important issue of locking systems down, according
to an expert.
Computer security researcher at the San Diego Supercomputing Center
(SDSC), Abe Singer said companies can spend 90 percent of their
security efforts on firewalls and not much of anything else. "I'm not
saying firewalls are completely irrelevant, but how much effort do you
spend on security?" Singer asked. "Do security at the host, not just
the perimeter. You should be worried about what users are doing,
because if an attacker is going through the perimeter [without secure
hosts] then it's game over."
Speaking at the Australian Unix and open systems user group (AUUG),
Singer prides himself on the claim that the SDSC has gone four years
without a root-level intrusion to its systems - without using a
firewall. "At the SDSC we don't use a firewall, it's not feasible," he
said. "Since we have to secure hosts individually if we had a firewall
it would be so open it would be useless."
Singer said there is a perception that a firewall is a must-have. He
cited Visa's server requirements for online merchants which stated
they must have a firewall, but did not specify any configuration
details. "Too much of the security budget is being spent on firewalls
which also get too much attention [and] it's also 'cool' to have a new
firewall to play with," he said, adding that other appliances like
intrusion detection and prevention systems are an extension of the
"People are attracted to the idea that security can be bought [and]
it's hard to differentiate between marketing hype and reality," he
said. "We have a known 'good' config and when we find something is bad
it's consistently fixed."
Singer is adamant that intrusion will not be stopped by a firewall and
attackers have used Trojan SSH clients to steal user names and
passwords. Other practices Singer recommends include not running
services you don't need, for example, services that are only required
internally don't need to be external.
"You really need to think through your processes [and] relying on a
firewall means you're probably doing security wrong," he said.
"Surveys have shown that 60 percent of security breaches are internal
but 70 percent of people are worried about hackers on the outside.
Internal breaches are worse, because someone has a level of access and
knows where the assets are. If an attacker was really looking at
compromising a company's assets he or she would get a job in the mail
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.