cc: All Users: Fight fire with more than just fire
A few years ago, the entire state of Florida seemed to be on fire. My parents were on vacation there at the time and happened to witness a giant fire that was rapidly approaching a highway. Police had stopped traffic while emergency fire crews attempted to check the inferno. But despite their best efforts, which included building a backfire'a way of fighting fire with fire'the flames leaped across four lanes of highway and continued on their way.
The moral of the story is that you can't always fight a blaze with fire alone. The same is true with trying to stop Internet-borne threats with just a firewall.
This issue contains a comprehensive Buyers Guide on network firewalls. Without question, every agency or outpost needs a network firewall. And if you are working from home or on the road by yourself, you should have a personal firewall.
In the GCN Lab, we have seen computers sitting outside our firewall become infected with all types of insidious programs in less than 10 minutes. Once we even set up a fake honey-pot network to observe what hackers would do when they discovered what they thought was a valid network, and it wasn't pretty.
But the firewall is just the base of your security pyramid. Like the flames along that Florida highway, some threats are powerful enough to leap a prepared firewall.
GCN recently looked at four security appliances designed to sit behind your firewall [GCN, April 4, 2005, Page 50]. Those devices concentrated on the mail stream, which is often overlooked by a standard firewall, leaving open a vulnerable gateway into your network. And even if your firewall is able to scan for some mail threats, many firewalls aren't able to cope with spam, which is just as detrimental as a virus when the volume of spam reaches critical mass.
And there are even more threats that standard firewalls can't tackle. Intrusion detection is becoming a huge, new product area that the lab is starting to evaluate. These appliances sit on your network and look for other programs trying to sniff out weaknesses in your defenses.
They can even monitor internal network traffic in some cases to see if something bad is happening on the inside of the firewall, which not always completely secure. In the coming weeks, we plan to review the IntruShield 4010 Appliance from McAfee Inc. for suitability for government use.
Finally, even if you have every conceivable device for monitoring and protection, you still need to train your users to use proper computing practices. A few simple procedures can really help. For instance, they should:
- never open an attachment from people they don't know
- never tunnel out of the firewall to check mail on insecure sites
- never leave their terminals open and logged in when they are away for an extended period of time.
You never know when something really simple like using an alphanumeric password that can't be easily guessed or beaten with a dictionary program will save your network. You may never know, because it might just block someone.
And this is just for your wired network. Adding wireless opens up even more holes that need to be monitored or plugged.
My point is, yes, get a good firewall. Many vendors now support in a single box most of the functions listed here. But don't plug in your firewall and then go to sleep on security. It's an important step, a cornerstone even, but it's not the ultimate answer for every single security problem.