[ISN] Firewalls a dangerous distraction says expert

[InfoSec News]

http://www.techworld.com/security/news/index.cfm?NewsID=3992

By Rodney Gedda
Computerworld Australia
07 July 2005

A preoccupation with firewalls is diverting attention and resources 
away from the more important issue of locking systems down, according 
to an expert. 

Computer security researcher at the San Diego Supercomputing Center 
(SDSC), Abe Singer said companies can spend 90 percent of their 
security efforts on firewalls and not much of anything else. "I'm not 
saying firewalls are completely irrelevant, but how much effort do you 
spend on security?" Singer asked. "Do security at the host, not just 
the perimeter. You should be worried about what users are doing, 
because if an attacker is going through the perimeter [without secure 
hosts] then it's game over." 

Speaking at the Australian Unix and open systems user group (AUUG),
Singer prides himself on the claim that the SDSC has gone four years
without a root-level intrusion to its systems - without using a
firewall. "At the SDSC we don't use a firewall, it's not feasible," he
said. "Since we have to secure hosts individually if we had a firewall
it would be so open it would be useless."

Singer said there is a perception that a firewall is a must-have. He
cited Visa's server requirements for online merchants which stated
they must have a firewall, but did not specify any configuration
details. "Too much of the security budget is being spent on firewalls
which also get too much attention [and] it's also 'cool' to have a new
firewall to play with," he said, adding that other appliances like
intrusion detection and prevention systems are an extension of the
same idea.

"People are attracted to the idea that security can be bought [and] 
it's hard to differentiate between marketing hype and reality," he 
said. "We have a known 'good' config and when we find something is bad 
it's consistently fixed." 

Singer is adamant that intrusion will not be stopped by a firewall and 
attackers have used Trojan SSH clients to steal user names and 
passwords. Other practices Singer recommends include not running 
services you don't need, for example, services that are only required 
internally don't need to be external. 

"You really need to think through your processes [and] relying on a 
firewall means you're probably doing security wrong," he said. 
"Surveys have shown that 60 percent of security breaches are internal 
but 70 percent of people are worried about hackers on the outside. 
Internal breaches are worse, because someone has a level of access and 
knows where the assets are. If an attacker was really looking at 
compromising a company's assets he or she would get a job in the mail 
room."