Have you ever had to explain how to protect a business in the Internet age to an intelligent person who is higher up on the corporate food chain than you?

Here’s how Deloitte & Touche security expert William Hugh Murray would do it.
William Hugh Murray is executive consultant in IS Security for Deloitte & Touche and the author of “An Introduction to Internet Security and Firewall Policies,” which appeared in E-Commerce Practitioner (2/99). We will feature the entire text of this article in the IT Manager Republic on June 1, by special arrangement with Auerbach Publications. To learn more about Auerbach Publications, click here .
Your organization can take one of four basic positions on security, depending on the applications you’re using and the kinds of access the applications require.

Murray said these are:

  1. The paranoid position—Put your system in a box, disconnect it, and drop it in the river.
  2. The prudent position—Everything that is not explicitly authorized is implicitly forbidden. If you don’t expect it or anticipate it, you prevent it.
  3. The permissive policy—Everything that is not explicitly forbidden is implicitly permitted. In that case, you hope you can come up with a relatively short list of things you want to forbid, and that the list will leave you with a relatively safe position.
  4. The promiscuous position—Not only does everything go, but there is not a control in place that you could use to stop it even if you wanted to.

“You might ask why anybody would want to be in positions one or four,” Murray said. “For years and years, [the paranoid position] was the default position of business. We connected to explicit points that we already knew about, but we certainly didn’t connect it to the Internet because it was simply too hostile.”

The other extreme, the promiscuous position, is the fundamental position of the Internet, according to Murray. The Internet is encumbered by firewalls, which disrupt the “mesh-connected network” it was designed to be, with various random and multiple paths between any two points.

Address vulnerabilities
While applications interact via ports, the Internet is about addresses, the security expert explained. An address on the Internet can be anything. It can be any device, such as a mainframe, firewall, or a personal PC.

By convention, certain ports are associated with certain applications. So an FTP port is associated with FTP; mail ports with mail applications. But all the Internet sees is a device, and it doesn’t care about its ports, particularly as the standard conventions give way to chaos at the higher port numbers.

When a device manager opens a port with an IP address and expects a particular protocol to be used with that port, that port will accept anything that comes to it with the correct protocol.

“The assumption, of course, is that I trust that IP address,” Murray said. “It may belong to me or it may belong to a favored trading partner and I know what the address is, and therefore I trust it.”

IP addresses are not reliable, he said, so if someone can figure out the address of the port, they can generate their own traffic that appears as though it came from a trusted source.

Enter the Trojan horse
“The most fundamental problem is that if you’ve got any ports open on your firewall and accept any protocols, I may in fact be able to tunnel through that port,” Murray said.

“This goes back to the original story of the Trojan horse. What was the role of the warriors inside the horse?” he asks. “Their job was to open the gate.

“Now what that demonstrates is that perimeter defenses do not work very well when the adversary has his agents on the inside of the perimeter,” Murray said, adding that a sympathetic user or unknowing dupe can serve the same role as an enemy agent.

Experts in attacks and penetrations of firewalls tell him that all they have to do is send an e-mail and attachment with a provocative subject to someone inside the firewall, and curiosity gets the best of them.

“I all but own you,” Murray said, if he were the attacker.

The unsuspecting dupe on the inside of the firewall executes a program like Back Orifice when they click on the attachment, completing the inside end of a tunnel through a port in the firewall.

Back Orifice is a covert program the dupe will not see, but it allows the hacker on the outside of the firewall to control the dupe’s computer to the hacker’s own ends.

“You’ve got a vulnerability created simply by the fact that you’ve got one port open to do one protocol to one other known and specified address, and it is still possible for somebody to exploit it, particularly if he’s got a sympathizer or a dupe on the inside of your firewall,” Murray said.

The Tower of London
Is there nothing a company can do to protect its applications and data, yet still be connected to the outside world?

Murray said what companies need to do is strike a balance between the level of service they want to provide and the risk they want to take. There are ways, if a company wants, to do both.

“Everything I needed to know about security I learned at the Tower of London,” he said.

Murray explained that after the Battle of Hastings in 1066, William the Conqueror became king and built a tower in London known as The Keep. It had slotted windows as its main form of defense because it is hard to shoot into small openings, but it’s easy to shoot out.

Fearful that catapults would knock his tower down, the king constructed concentric rings of walls, farther and farther away from the tower. Of course, he said, you have to keep manning the walls and gates to keep people from tunneling under the walls or attacking through the gates.

“Simply compromising the outer wall, which was much easier to do because it was much longer, didn’t get you into The Keep because there were still inner walls to protect The Keep,” he said.

“You keep pushing the walls farther and farther out, recognizing that the farther out the wall is, the more vulnerable it is going to be and the more people are on the inside of it,” Murray said. “You keep pushing the resources farther and farther in and putting rims around the resources so there isn’t anybody on the inside.”

The Keep is your network’s final firewall
Now take the Tower of London metaphor to the modern world and your computer network.

Murray uses the example of an automobile manufacturer with 600,000 employees already within the outer wall of the company’s network. The thing to do is to place firewalls between these employees and the company’s sensitive applications.

There will be access through these innermost firewalls, but it will be restricted from the outside—and from within.

“Guess what? There aren’t any people behind that fire door who are permitted to open it from the inside,” Murray said. “The only place to open it is from the outside, and in order to do that you have to have the key.”
Security experts like William Hugh Murray talk about concentric circles of protection with ever-stronger firewalls. Does your business have this same firewall policy, or have you adopted a different strategy? Post a comment below or send us a note.