By Jonathan Yarden
I was once involved in the process of evaluating a possible Internet and system security problem for a local manufacturing company. The company's problems occurred shortly after it contracted with a vendor to install a firewall system and upgrade its Internet access and LAN.
After several months of unexpected problems, rumors began to fly. The company hired another vendor to assist, but even more problems occurred. As a result, the organization terminated business with both vendors.
Deadlines came and went, and the general mood in the IT department was reactive rather than proactive. In fact, the plague of Internet and systems problems was affecting the entire company's morale.
Due to layoffs, the company was already operating with a bare-bones technical staff. When one of the IT staff turned in a resignation, management became suspicious and sought the help of the company that I work for. They wanted me to determine whether the problems were intentional sabotage or if the vendor who sold and installed the equipment was responsible for the mess.
It surprised me that no one seemed to think the problems could be due to other factors. Fears of sabotage to computer systems seem to be increasing—almost to the point where people consider sabotage as an excuse for just about anything.
Rather than seek solutions to the problems, senior management wanted to point fingers, and they wanted heads to roll. But after our first meeting, I could tell that neither the vendor nor the ex-employee was responsible for the real problems. In fact, the company's problems were there long before it started using the Internet.
While documenting the network, the first thing I noticed was that Internet access was horribly slow. When I checked the new Cisco router and Nokia firewall system running Checkpoint Firewall-1, I was shocked to find there was literally no firewall protection—only simple network address translation. This good firewall system was essentially doing nothing.
After firewalling service ports for NetBIOS and Microsoft SQL, I found evidence of worms almost immediately. Junk saturated the network, and I found at least a dozen Windows 2000 computers on the LAN infected with a mix of viruses.
When I looked further into the network, I found off-brand equipment, UPS systems with "check battery" lights lit, and simple 5-port Ethernet hubs daisy-chained together. My favorite was a W2K server with a power supply fan that wasn't spinning. Management told me that the network stopped several times a day, and someone had to reboot the machine.
The organization simply accepted this problem, since a replacement power supply for the outdated, 8-year-old Compaq server was several hundred dollars. It wasn't a big priority to the company, yet it considered Internet access essential.
The real source of the problems was penny-pinching in the wrong place. There were two executives who wanted to be able to use the company e-mail server from home and an outside Web site consultant who wanted to access the Microsoft SQL Server for the parts database, but the company didn't want to cover the cost of a VPN solution.
In the end, the company got exactly what it paid for. Management purposely weakened Internet security to allow for exceptions to the rules.
When it comes to Internet networking and security, there's no room for exceptions. Spend adequate time and money on Internet security and computer systems in the beginning, and you'll save your company from experiencing—and paying for—some future problems.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.