Tuesday, December 27, 2011

How many firewalls are enough?

Pretty much every company in the world places at least one firewall at the edge of its network, to protect its internal resources. There were dark times, where a simple router is all we had, and we exposed all of our computers to the internet without any protection, but now that the hardware and software have gone down in price, this brings a new discussion to the table…how many firewalls are enough?

On one hand, you can take some old computer that’s too slow for use with modern desktop operating systems, stick some Linux based firewall on it and you got yourself a firewall at a cost that’s close to zero. Many people think that a thicker armor can stop more missiles, and would take advantage of the cheap options to build a network with multiple layers of firewalls. Is more really better?....not always!

The thing about quantity is that it rarely really trumps quality. Even in the simplest example of a tank having multiple layers of armor on it this is not the case. Sure, a tank with 15 layers of steel would be harder to penetrate than one with 14 layers, but the multiple layers also make the tank heavy. The added weight makes the tank slower to move and maneuver, limits the distance it can travel and the land it can drive onto.

In the case of network security, adding more layers can make it harder for an attacker to crack it, but the complex configuration makes it more likely for something to get overlooked or misconfigured. For example, if you put 6 different firewalls in the mix, you’re probably not an expert on each and every one of them. Perhaps one of them has a built in remote-access option that you forgot to protect or disable? Perhaps one has a lesser-known vulnerability that you were not aware of and forgot to plug? Perhaps updating the various firewalls will be hard because of the limitations on internet connections?

A common term in my world is “security by obscurity”, referring to using technology to mask some component in hopes that if it’s hidden well enough, it’s less likely to be attacked. The same concept applies, however, to bugs and issues. The more complicated the environment, the harder it is for us to see any issues it may be harboring.

Unfortunately, there’s no simple answer to the age old question of how much is enough, and how much is too much. Depending on your own exposure, which includes the profile of the data you need to have coming in and out, and your public profile that makes your organization a prime target or a lesser one, the answer is individual. If you’re a small company that’s just publishing a simple website, it’s very likely that a single firewall is all you need. If you’re a multimillion dollar corporation, which has tons of public services, then it’s probably a good idea to have more.

If you were expecting a simple numerical answer, then I’m afraid I’m going to disappoint you. I’m here to remind you of the considerations pro and con for each option. Your own mileage may vary, but one thing is simple to note…if your configuration is so complicated that even you can’t explain easily where a packet is going and where it has been lost, then it’s probably too complicated to be reliable.

Sunday, March 13, 2011

Recipe for disaster

Disaster recovery is one of the most important aspects of a security officer’s work. It even has its own domain in the ISC2 CBK (Business Continuity and Disaster Recovery Planning). With recent disasters like the 8.9 magnitude earthquake in Japan, other aspects of disaster recovery come to mind.

The information security officer has plenty of tools for disaster recovery at his disposal. Backups, hot/cold sites, off-site storage are some of them. With sufficient budget and training, a company can live-through a disaster and resume work very rapidly, and this was demonstrated well during the Sep-11 events in NY City.

The other aspect of this is that while the operations and security teams are busy with trying to reestablish the company’s operations and IT, most companies forget that the disaster site, although dysfunctional, typically still has all of the company’s assets. In the case of the world trade center towers, everything was buried in tons of dust and rubble, but other disasters may leave sensitive equipment or data exposed. A building that has been overrun by water may be unusable, and the computers in it may be completely destroyed, but their hard drives may be intact. Backup tapes or optical media is also likely to withstand such an event, esp. if it is inside a fireproof vault. This could be a golden opportunity for infiltrators to come in and grab something.
Naturally, it may be hard or dangerous to try this sort of stunt, but the kind of financial gain someone can make has been known to drive certain people to take risks. You and I probably won’t, but it takes only one crazy bastard to compromise a lot of secure information.

In addition to the above, even companies that have nothing to do with the disaster, and haven’t been harmed at all (or very little) are at risk, as with any large scale disaster, the entire country can plunge into chaos. In Japan, many companies have not been harmed, but have been completely deserted, as the employees left to attend to their families and loved ones. This is perfectly understandable, but the result is low-hanging fruit for any cracker. The police are typically concerned with street-level looting going on, but we in information security need to think about data looting too.

Naturally, the physical security domain in the CBK deals with protecting the workplace from physical harm, though it usually deals mostly with day-to-day threats, like burglary, fire and flood. When something as large as an earthquake or missile bombing comes into play, many of these measures will collapse. With proper planning, at least some of these may be mitigated. For example, your sensitive servers are properly locked away in a server room, but that room may not be secure enough to withstand someone ramming it with a truck. Using secure cabinets instead of the simple glass-door ones may provide an additional level of security. Using hard-disk encryption on servers and storage arrays, even though slow, can protect your data in case all hell breaks loose. You can’t physically secure all desktops, but using thin-clients (or terminal services) for some or all employees can provide for additional protection.

In addition to these, you should encourage your employees to refrain from storing sensitive data in the offices. This means avoiding printing of sensitive info, and making sure printouts are shredded in-house. Sensitive documents like employee or customer lists should be stored in a secure room or vault. Backup tapes and other media should be stored in a vault. When using such a vault, remember it still needs to be secure, so don’t leave it unlocked or the key too easy to find (many companies open the vault in the morning, and leave it open throughout the workday…ah…..).

And lastly, when creating your disaster plan master policy, make sure to assign guards to the destroyed facility. You may find, in reality, that all your guards disappeared, but if you prepare well enough, even a single guard will be more effective than none…