I was recently involved in the process of evaluating a
possible Internet and system security problem for a local manufacturing
company. The company’s problems occurred shortly after it contracted with a
vendor to install a firewall system and upgrade its Internet access and LAN.

After several months of unexpected problems, rumors began to
fly. The company hired another vendor to assist, but even more problems
occurred. As a result, the organization terminated business with both vendors.

Deadlines came and went, and the general mood in the IT
department was reactive rather than proactive. In fact, the plague of Internet
and systems problems was affecting the entire company’s morale.

Due to layoffs, the company was already operating with a
bare-bones technical staff. When one of the IT staff turned in a resignation,
management became suspicious and sought the help of the company that I work
for. They wanted me to determine whether the problems were intentional sabotage
or if the vendor who sold and installed the equipment was responsible for the
mess.

It surprised me that no one seemed to think the problems
could be due to other factors. Fears of sabotage to computer systems seem to be
increasing—almost to the point where people consider sabotage as an excuse for
just about anything.

Rather than seek solutions to the problems, senior
management wanted to point fingers, and they wanted heads to roll. But after
our first meeting, I could tell that neither the vendor nor the ex-employee was
responsible for the real problems. In fact, the company’s problems were there
long before it started using the Internet.

While documenting the network, the first thing I noticed was
that Internet access was horribly slow. When I checked the new Cisco router and
Nokia firewall system running Checkpoint Firewall-1, I was shocked to find
there was literally no firewall protection—only simple network address
translation. This good firewall system was essentially doing nothing.

After firewalling service ports for NetBIOS and Microsoft
SQL, I found evidence of worms almost immediately. Junk saturated the network,
and I found at least a dozen Windows 2000 computers on the LAN infected with a
mixture of viruses.

When I looked further into the network, I found off-brand
equipment, UPS systems with “check battery” lights lit, and simple
5-port Ethernet hubs daisy-chained together. My favorite was a Windows 2000 server with
a power supply fan that wasn’t spinning. Management told me that the network
stopped several times a day, and someone had to reboot the machine.

The organization simply accepted this problem, since a
replacement power supply for the outdated, 8-year-old Compaq server would run
several hundred dollars. It wasn’t a big priority to the company, yet it
considered Internet access essential.

The real source of the problems was penny-pinching in the
wrong places. There were two executives who wanted to be able to use the
company e-mail server from home and an outside Web site consultant who wanted
to access the Microsoft SQL Server for the parts database, but the company
didn’t want to cover the cost of a VPN solution.

In the end, the company got exactly what it paid for.
Management purposely weakened Internet security to allow for exceptions to the
rules.

When it comes to Internet networking and security, there’s
no room for exceptions. Spend adequate time and money on Internet security and
computer systems in the beginning, and you’ll save your company from
experiencing—and paying for—future problems.

Miss an issue?

Check out the new Internet Security
Focus Archive, and catch up on the most recent editions of Jonathan
Yarden’s column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.