How much can firewalls protect our corporations?
by Amanda Gronau
Jan 16, 2003
Security. It’s a much-used word, a much-used concept in today’s world. We are more policed, more heavily armed, our laws are tighter, our prisons are fuller than they have been in the past. Personal security is a boom market, and so is corporate protection – of assets, of people, of information.Given that our information today passes through the ether, how much can we guarantee its protection? We looked briefly at this issue in November, following a Frost and Sullivan report on Virtual Private Networks, and we look at it again here, prompted this time by the launch of a new In-Stat/MDR report on the burgeoning network security market that indicates that the sector’s revenues will reach $5.8 billion in 2006, up from $2.3 billion in 2001, with the firewall/VPN segment representing the largest hardware security perimeter market."Keeping the bad guys out of the corporate network continues to be a challenge for organizations of all sizes," says In-Stat/MDR Analyst Jaclynn Bumback. "Fortunately, firewalls, Virtual Private Networks and Intrusion Detection Systems work to protect the corporate border." But how well can they really protect our virtual working environments? A fascinating if unsettling series of interviews with hackers and Internet security specialists was conducted by Frontline, the flagship public affairs series of US broadcasting service PBS. We have extracted some of the more salient points from these interviews in an attempt to answer that question.Kirk Bailey, manager of Information Security at the Frank Russel Company: "The Internet cannot be secured, and that's fact. I would debate that with any vendor, with any inventor of internet technologies, with any business - it can only be risk-managed. All the technology that underlies it was meant for communication, not for conducting business. It is open technology. Everything that you have to do to secure it is afterthought stuff, because it is not part of the infrastructure itself". Robert Giovagnoni of iDefense, a private agency specializing in information intelligence, agrees: "The internet was originally designed to be open. And now we are trying to protect it by closing all the doors. That won't happen in the foreseeable future. You cannot build a wall around your computer and assume it will never be attacked, or that it will be protected totally, unless, of course, you're connected to nothing, and you lock it in a room, and never use it. What we can do to put obstacles in the way of someone who wants to get access to it".Two people who have had access to others’ computers, Reid and Count Zero, members of the Cult of the Dead Cow hacker organization have this to say about the use and conception of the Internet – Reid: "The internet is a mirror of society. It truly is something that reflects all of the elements in the physical world--the types of people who use it, the types of things that are on it, what's being said, and what you'll see and read. Society is complex, and it's often very messy. And I think people just have to deal with that". Count Zero: "The internet was designed basically for the US government in planning a war, and then it was co-opted by scientists to coordinate research. It was constructed using protocols that are very simple, fast, efficient. But they are wide open, and they assume that we are all going to be nice to each other, that no one is going to lie or cheat or steal. And there was really no effort made early on to protect against people who just are outside the trust model, people who just want to go in and see what they can do". And thus, according to Bruce Schneier, author of Secrets and lies: digital security in a networked world, the economic dangers for the corporate world are myriad, in part because the internet lays you open to a greater number of potential breaches. On the other hand, the number of targets goes up, so you can effectively get lost in the crowd. He, too, believes that the Internet will never be secure. "But that's okay", he says, "The real world is an insecure place, yet we live pretty much happy lives, not because there's magic technology that renders guns inoperable, but because we have a legal system, we have societal rules, we have culture that makes our city safe, and our world safe. And I see the same thing happening on the Internet". Richard Power, Editorial Director of the Computer Security Institute, agrees: "The Internet will become a safer place through tort law, civil liability and exposure". Thus, just as we live in a trust system in our real lives, we must accept the fact that trust, and not 100% guaranteed security systems, must be the basis of our virtual lives, and that firewalls and the rest will not protect us in what is essentially an open environment. But just as we lock our cars and shut our house windows before we go out so as not to "invite" unwanted guests, we can also take measures that make a breach of our Internet security more difficult, more problematic, for those who would do us harm.