What a firewall is and what it does are
widely known to technophiles and technophobes alike. The purpose of a firewall
has been burned into the head of just about every person who uses the Internet,
and the thought of functioning without protection from the bad people is sheer
lunacy.
However, nearly all firewalls are
unidirectional. They may protect you from nefarious pokes and prods from the
nether regions of the Internet, but they'll happily ship out any data you send
from the inside. Only at the higher levels of enterprise IT do you see active
filters for data leaving the network.
Of course,I'm not talking
about facilities that prevent access to certain websites based on content or
filters that block peer-to-peer applications. I'm talking about devices that
actively block or issue alerts when anomalous data is passed through the firewall
from internal hosts. For instance, it's unlikely that anyone working in
engineering and design firms in Peru would send lots of data to Chinese sites.
If a filter or network traffic monitor spotted this unusual activity, it's
possible those firms wouldn't have lost tens of thousands of blueprints to an
unknown Chinese organization. But their firewalls blithely allowed sensitive
information to escape.
We're in a place now, technologically,
that's fueling an uprising of internal threats -- not just from viruses and
whatnot, but espionage. There's been some recent concern that computer hardware
produced in foreign countries may contain Trojans burned into the chips,
allowing anything from remote control of sensitive devices to keylogging or
providing a wider backdoor into the network.
Make what you will of this claim, but don't
think for a minute it's not possible. The fact these allegations are in dispute
does not detract from the certainty that what they describe is technologically
feasible. The only way to fight this kind of deep intrusion is by carefully
inspecting what leaves the network. I bet the vast majority of the corporate
infrastructures in place today have little to no visibility of this kind, and
the people using them may not even realize the threat.
But how does one gain control over outbound
traffic? Locking down the inside of your firewall at Layer 4 does next to
nothing to prevent data leaks, even if you explicitly block IP ranges belonging
to foreign countries or competitors. Creating and maintaining such a blacklist
is a fool's errand, as it's trivial for a data collector for a German-based bad
actor to work from within the United States, running on a cheap VPS somewhere
near Los Angeles. As the United Kingdom has discovered, IP blacklists are
essentially useless.
The only way to truly get a handle on this
is by using deep packet inspection and peering into every packet as it heads
out of the network. Devices such as NIKSUN's NetDetector do exactly this, and
they can be configured to send out notifications when passing traffic matches
certain patterns, contains certain files, or even show up with specific text
strings. Naturally, the use of heavy encryption can evade some of these
triggers, but if suddenly there's a flurry of encrypted traffic heading to an
unknown IP address in Guam, it might bear closer inspection. You can
immediately identify the internal source since you have the packet stream in
its entirety.
This material is original from:
http://www.infoworld.com/d/data-center/the-firewall-threat-you-dont-know-196161
No comments:
Post a Comment