A preoccupation with firewalls is diverting attention and resources away from the more important issue of locking systems down, according to an expert.
Computer security researcher at the San Diego Supercomputing Center (SDSC), Abe Singer said companies can spend 90 percent of their security efforts on firewalls and not much of anything else. "I'm not saying firewalls are completely irrelevant, but how much effort do you spend on security?" Singer asked. "Do security at the host, not just the perimeter. You should be worried about what users are doing, because if an attacker is going through the perimeter [without secure hosts] then it's game over."
Speaking at the Australian Unix and open systems user group (AUUG), Singer prides himself on the claim that the SDSC has gone four years without a root-level intrusion to its systems - without using a firewall. "At the SDSC we don't use a firewall, it's not feasible," he said. "Since we have to secure hosts individually if we had a firewall it would be so open it would be useless."
Singer said there is a perception that a firewall is a must-have. He cited Visa's server requirements for online merchants which stated they must have a firewall, but did not specify any configuration details. "Too much of the security budget is being spent on firewalls which also get too much attention [and] it's also 'cool' to have a new firewall to play with," he said, adding that other appliances like intrusion detection and prevention systems are an extension of the same idea.
"People are attracted to the idea that security can be bought [and] it's hard to differentiate between marketing hype and reality," he said. "We have a known 'good' config and when we find something is bad it's consistently fixed."
Singer is adamant that intrusion will not be stopped by a firewall and attackers have used Trojan SSH clients to steal user names and passwords. Other practices Singer recommends include not running services you don't need, for example, services that are only required internally don't need to be external.
"You really need to think through your processes [and] relying on a firewall means you're probably doing security wrong," he said. "Surveys have shown that 60 percent of security breaches are internal but 70 percent of people are worried about hackers on the outside. Internal breaches are worse, because someone has a level of access and knows where the assets are. If an attacker was really looking at compromising a company's assets he or she would get a job in the mail room."