Firewalls Fight Threats on Every Front

Most members of the IT community have vivid memories of the security nightmares that got passed around the campfire during the great migration from terminal/host to client/server architectures. “The new environment is raising grave concerns,” we said in a major article on the topic in February 1994, and that was?if anything?an understatement.

In that piece we were particularly concerned about the doofus threat: the possibility that client/server systems would magnify the effects of simple sloppiness or incompetence by “empowering” nontechnical employees to do damage never possible with a terminal. On the other hand, threats from outside were barely mentioned, partly because we thought a new category of products called “firewalls” showed good promise for dealing with those problems.

Internet Firewalls Frequently Asked Questions (by Matt Curtin and Marcus J. Ranum, available at www.interhack.net/pubs/fwfaq) compares these products not to real firewalls like those that protect your feet from a car’s engine compartment, but to the reception and security desks that most companies have at their front door. Like those desks, firewalls control authentication routines, decide which packet types to admit into the network and which to keep outside the velvet rope, and do head counts on both incoming and outgoing traffic.

Conceptually the idea couldn’t be simpler, and it is easy to see why we had confidence in it. In practice, however, firewalls turned out to be no panacea. According to the “2001 Computer Crime and Security Survey,” prepared by the Computer Security Institute and the FBI’s Computer Intrusion Squad, two-thirds of computer security practitioners participating in the study experienced financial losses from security breaches in the previous year, generally theft of information or fraud. Those able to measure these losses (and willing to reveal them) reported an average of $3.7 million per incident. Every category of network assault (penetration, denial-of-service attacks, viruses) showed significant increases.

In retrospect a little military history might have helped us anticipate this failure. Military theory argues that offense is limited by penetrating power and defense by sensing, analysis and calculation. This is not to say that either side cannot use the assets of the other, only that offense is usually better off spending resources on muscle, and defense, on intelligence. Rapid technological change also tends to favor the offense, probably because breakthroughs in muscle come along more often than significant improvements in brains.

In other words, during high innovation periods, we tend to get relatively beefier, stupider and more offensive. While this concept had its origins in military science, it is an excellent description of ’90s technology as well. The development of the Internet allowed hackers to recruit legions of machines into coordinated attacks on target systems. Further, according to Marcus Ranum, currently CTO of NFR Sec-urity in Rockville, Md., the old Internet was a store-and-forward system, in which firewalls could take time to process complicated security checks. “The Net today is real-time,” he says. “When people hit a button they expect something to happen.” This puts a limit on how sophisticated firewalls can be.

Firewalls thus lost ground from both the top and bottom of the equation at once: While offense was gaining in power, the technology found itself saddled with limitations on how fast it could think. No wonder it is less effective than we had hoped.

Today firewall development is being pushed in two directions. The first retains the concept of a central choke point?the security desk at the entrance?and uses hardware and other performance enhancements to interrogate packets in more detail. Melville, N.Y.-based Spearhead Technologies’ AirGAP, for instance, uses a proprietary operating system to shuttle data into the network. This is like the security desk refusing to let messengers into the building and instead using its own uniformed personnel to deliver packages.

The second approach (one espoused by Rochester, N.H.-based Enterasys Networks, among others) is to install firewalls on every part of the system: every router, switch, virtual private network connection and even every client. Everybody gets a security desk. The virtue of such ubiquity is that each “guard” gets to know its own corner of the world well, which means it can recognize inappropriate activities more quickly. “The end system can see when a program is attempting to write to the desktop registry, and it can see, or ask, whether an upgrade is going on,” says Brent Chapman, president of Great Circle Associates in Mountain View, Calif. “It is in a much better position to know what should be going on.”

How much relief these programs will bring depends on whether information systems continue to change as rapidly as they have in the past. If they do, offense will probably continue to race ahead. If the pace of change slows, allowing experience to accumulate, defense will get smarter and more effective. This may yet turn out to be one of the unanticipated benefits of the dotcom bust.