From the April/May 2008 Issue
Deep-Penetration, a hacker’s nom de plume, had been to this network address before and she knew it well. The system was easy to access even with the low-end firewall installed on the router. Even if the firewall had blocked her ability to access the network, the person configuring the router/firewall hadn’t changed the default administrative password. She could have easily used this to access the network by simply looking in the User Manual on the manufacturer’s website.
The administrative password on the server was still the default password known to everyone, and no one installed Service Pack 2, which would have disabled the administrative account. It was easy pickings. Deep-Penetration had even figured out how to access the tax application that was installed directly on the machine she was using to connect to the internal network. She enjoyed looking at all the personal financial details.
On previous visits, she had found several high net worth clients who had more than one million dollars in income. This time, Deep-Penetration was back for a reason. She had seen a posting in a hacker forum saying that a hacker going by the name of ID-ME was paying $600 per name and matching social security number. Deep-Penetration was short on cash and figured selling some names and social security numbers to ID-ME would be a quick way to make some money without getting caught. She knew exactly where she could get at least 2,000 names and the matching social security numbers, and she was going to cash in. Think this is farfetched? Perhaps not as farfetched as it might seem!
I recently attended an AICPA Certified Information Technology Professional (CITP) networking event in Detroit. One of the topics was about whether the firewall that comes with your Internet router and/or computer is sufficient protection for an accounting firm.
This discussion made me think about the fact that many accountants may not understand this very important security prevention technique — what I like to equate to putting a dead bolt on the door. And they may not know if their firms are as prepared as the owners might assume. The scenario above identifies a lot of things that are wrong besides the firewall. However, these mistakes could very well be happening in a firm and no one knows it. With what seems like every vendor coming out with a firewall as part of their product offering, many people may think that they are over protected. Unfortunately, this idea lulls us into a false sense of security.
The Types of Firewalls
Good news! Firewalls only come in two basic designs: software-based and hardware-based. While each has its strengths and weaknesses, some basic things are designed into certain firewalls that make them more secure than others. We will talk about that aspect shortly, but first let’s make sure we are on the same page in terms of definitions.
A hardware-based firewall is a physical device that connects to your Internet router and sits between your local area network (the computers and servers that make up your technology environment) and the Internet. It allows traffic in and out between the local area network and the Internet based on the rules defined on the device. A hardware firewall generally stops traffic at the perimeter between the Internet and the internal network. It does not monitor the traffic on the internal network.
A software-based firewall is a firewall installed on a computer or server. It monitors the physical network connection of the computer as it connects to either the local area network or the Internet. It is also rules-based just like a hardware firewall. Generally, software-based firewalls are much more open because they have to communicate not only with the Internet but also with other computers in their networked environment.
The most common type of firewall is a software firewall. It is the type of firewall that almost every security software manufacturer seems to think we need to have installed on our computers. We have software firewalls from Microsoft built into the operating system, software firewalls bundled with our antivirus software, software firewalls with our antispyware solution, and firewalls installed by our ISP’s startup software.
With all the software firewalls, it is a miracle that we are able to connect to the network and Internet at all. And this is the exact reason that software firewalls generally do not function well for us. They are, by default, fully or mostly open in order to pass traffic back and forth without much configuration by the user. They do little to protect us.
Unless a user spends time configuring the firewall properly and making the default settings more restrictive, it is pretty much open season on a computer running a software firewall. In short, unless you take specific action to check and configure the firewall settings on your software firewall, do not assume that it is providing much protection.
This category of firewall is a device designed to be used as an intermediary between a local area network and the Internet. This type of firewall controls the traffic passing through it, preventing unauthorized traffic from entering the system and allowing authorized traffic through to the computers attached to the network.
Hardware firewalls generally have an Ethernet connection to the Internet and a second (or perhaps multiple) Ethernet connection(s) to the computers in the firm’s local area network. Because the hardware firewall is a specific device with two Ethernet ports that connect together to different network segments (Internet and local network), it monitors the activity between the two network types while the software firewall only monitors a network connection on a specific device.
Which is Better?
Because hardware firewalls provide a physical separation between the computer(s) on the local area network and the Internet, a hardware firewall is much better than a software firewall, which only monitors the network connection on the computer. Hardware and software firewalls generally are configured in two different ways:
- Either they block everything and require user input granting permission for the software program or activity to be allowed access to the Internet, or
- Everything is allowed in and out on the firewall unless the user specifically configures the firewall to lock down the system and prevent access to everything except that which is specifically allowed.
Software firewalls also have a secondary vulnerability. Should there be a security vulnerability on the computer where the software firewall is installed either within a piece of software or the operating system, the firewall can be bypassed using this vulnerability. The hacker now has access to the machine even though the software firewall is “monitoring” the connection.
Hardware firewalls are configured using the same two methods listed above; however, the high-end hardware firewalls follow option 1 configurations and specifically block everything unless it is allowed by the user. The hardware firewall’s physical separation of network segments makes it harder to bypass the firewall device and access the computers on the internal network segment. Hardware firewalls, since they are separate pieces of equipment, are not susceptible to software vulnerabilities on a computer. Network traffic must pass through the hardware firewall before it reaches a computer with a software vulnerability. This provides a much higher level of protection to the internal network.
In our next issue (June/July), I will finish the story about Deep-Penetration and what happened with the information she obtained from the unknowing firm. And along the way to finishing the story, we will examine which firewalls should be used in accounting firms and which firewalls should be avoided.