BOSTON -- For years, infosec experts have called the firewall a critical ingredient to security, whether it's in a large enterprise or on a home PC. But the San Diego Supercomputer Center (SDSC) has defied that logic with what some would consider surprising success.
Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained how companies can maintain strong firewall-free security at the 2006 USENIX Annual Technical Conference Thursday. He has also produced a presentation (.pdf) on the subject.
Singer said there's a "horrible truth" about firewalls: they have performance problems, are vulnerable to cascade failures and changing one rule on the network can open up a security hole someplace else. He said a fellow IT professional once conducted a routine firewall test and found several ports wide open. But perhaps the biggest problem of all is that users inside the firewall can't be trusted.
"Firewalls can't protect you from what users are doing inside the company," Singer said. "If I want to steal from a bank, I won't try to punch through their firewall. I'll get a job in the mailroom."
Some might ask why the SDSC doesn't use a firewall anyway for one more layer of security. For one thing, Singer said, the security infrastructure in place works well enough without one. A firewall would also be more trouble than it's worth in an environment that needs to be open; supercomputing resources are used for scientific research that often requires the use of ports that would otherwise be blocked.
He said a firewall that allows traffic through on every port provides no protection whatsoever, while one that doesn't allow any traffic through will probably protect against external attacks but not much else. "A firewall has to allow some traffic through, and if the machine receiving the traffic behind the firewall has a vulnerability, it can be compromised," Singer said.
Six years, one attack
The SDSC has suffered only one security incident in a period of almost six years. That's a pretty good record for an organization with thousands of machines and more than 6,000 users worldwide, Singer said. Of those 6,000 users, only about 300 are on-site. The rest are at other institutions around the world.
Its one recent compromise occurred two years ago, when a 16-year-old hacker used software on a hijacked machine to sniff out passwords and other login data. Eventually, the hijacked computer spotted someone logging into the SDSC network and the hacker was able to follow suit.
During a log check, he was caught traveling around the network looking for machines to exploit. He found a few machines to compromise that had been patched but not yet rebooted. The compromise turned out to be part of a larger operation spanning a number of institutions.
In this attack, a firewall would have made no difference, Singer said.
"The intruder came in the way a trusted user came in and they were indistinguishable to the system," Singer said. "A firewall wouldn't have blocked it. The intruder's behavior once he got in -- that's how we found him."
Singer said SDSC's approach to security reduced the scope of the compromise and helped it to recover more quickly than some of the other organizations that were affected.
Keys to a firewall-free defense
The security approach Singer credits for blunting the scope of that attack is host-based and includes the following criteria:
- Knowing the computing environment;
- Having a centralized configuration management system;
- Implementing regular and frequent patching; and
- Maintaining strong authentication, which includes a strict ban on plaintext passwords.
"The most publicized compromises -- especially worms -- have taken advantage of vulnerabilities for which patches were already available, in some cases for months or years," he said. "Aggressive patching could probably solve 90% of most companies' security problems."
Singer said a ban on plaintext passwords is particularly important in SDSC's environment. The policy states that no authentication protocols using plaintext passwords or other secrets that can be intercepted and reused can pass between SDSC's trusted networks and other networks, he said.
For privileged access, the user must explain why they need the access and sign an acceptable-use agreement that is also signed by their supervisor. "The root password is only given out where absolutely necessary, such as to people who need to log in to a system console during [an] installation process," he said.
More on firewalls
Don't fall for the myth
Singer knows there are security professionals who think his no-firewall approach is nuts. But he argued that enterprises can rely too heavily on firewalls, often to the point of absurdity.
"The myth that a firewall is necessary for effective network security is so prevalent that many believe you are doing something wrong if you don't have one," he said. The problem, he added, is that firewalls offer a false sense of security.
"I was helping a private research lab construct a comprehensive security plan, which focused on infrastructure protection, and they hired a new CTO who informed us that he wanted a firewall because whenever he discussed security with his peers at other organizations, they were incredulous that he did not have one and he felt his reputation was suffering as a result," Singer said.
At a staff meeting some time later, Singer said the CTO announced that the organization was now secure because they had a firewall. "They weren't, and some of the staff called him on it," Singer said.
When firewalls are useful
While SDSC gets along fine without one, Singer said there are instances where he believes firewalls are useful. But while most organizations spend more than 90% of their time and money on firewalls, it should probably be less than 5%.
"Firewalls can provide an extra layer of protection, provided you know what you are protecting against," he said. "Some people say that firewalls are for machines that can't protect themselves, such as printers and maybe Windows machines."
Singer admitted that the SDSC has dabbled with firewalls in some instances, most notably one that allows outbound connections but no inbound.
"The firewall may reduce [some] exposure, and it provides us with a choke point to monitor and block misbehaving machines from attacking the rest of our network."
But in the end, he doesn't see firewalls being used in place of the host-based security that has served SDSC so well over the years.