Trust but verify
- 13 February, 2001 01:06
Firewalls are guard dogs in a box, designed to resist brute-force attacks, foil hackers and generally police everything going in and out of networks. It's hard not to rely on them. But it's also easy to overestimate their importance in any enterprise security arsenal.
Firewalls can't go it alone. "What we do is a balancing act," says John Lucich, international president of the High-Tech Crime Network, a West Caldwell, N.J.-based computerized network of law enforcement agencies from 15 countries. The amount of money spent on security products must be balanced against the worth of what's being protected, and most organizations aren't Fort Knox, says Lucich.
Firewalls are part of a greater network and security infrastructure, which itself derives from a meticulous, well-documented security plan. Security experts are the guardians of that network, the kind of people who wake up at night in a cold sweat, wondering if the firewalls are blocking what they should. Their jobs require a lot of intense hours, because networks are constantly changing.
Security experts are scarce and expensive, so outsourcing provides an affordable way to benefit from such talent. Outsourcers also configure and maintain equipment and buy in bulk, saving their customers money. Finally, outsourced firewalls are often a good step to value-added monitoring services, which are also offered by outsourcers. Outsourcing companies can not only maintain firewalls and prevent attacks on corporate networks, but they can also see when those networks are being attacked and take the necessary steps to block the attackers.
Economics of Outsourcing
Firewalls are designed to prevent unauthorized access to or from a company's network. They monitor everything that comes in or goes out, often at the packet, application or circuit level of the network, or by using a proxy server to disguise IP addresses. But they're expensive. For companies that want to install one in-house, a new firewall costs US$15,000 to $30,000 or more, depending on licensing fees and whether it's a hardware firewall (also known as a network appliance), a software firewall or, more often than not, a combination of both. Hardware firewalls are less expensive because the software version requires powerful additional servers on which to run.
To set up and run the firewall and manage security, a company needs to hire a security expert. That expert earns $80,000 to $100,000 per year and requires ongoing training. And more than one person is required to run around-the-clock monitoring and response. The three-year cost of a firewall and just one expert to run it would be at least $255,000.
By contrast, it usually costs $1,000 to $3,000 per month plus a set-up fee (often equal to the monthly rate) to outsource a firewall. When it comes to network architecture, firewalls don't have to be next to the servers they're protecting. So even if a company has its servers located elsewhere, a vendor can care for and maintain the firewalls. What's needed is communication between the company and the outsourcer about keeping servers configured correctly and noticing changes in users who access the network.
There are immediate benefits to outsourcing: there are no steep purchase costs, the client doesn't have to install or maintain the firewall and it frees network technicians to keep the network running. Many outsourcing companies will also do some on-the-job security training for the technicians, so they're kept aware of security issues. Thus the three-year cost could be $120,000, or less than half of the do-it-yourself option.
"Outsourcing is a way to save money - big time - and a way to get expertise quickly and deploy it quickly," says Lucich. According to The Yankee Group in Boston, start-up costs for in-house security often exceed companies' estimates, easily approaching six figures for a 500- to 1,000-node, 10- to 20-site network.
Kurt Ziegler, president of Web monitoring software company eBSure Inc. in Dallas and former vice president of product security at Computer Associates International Inc., says he opted for outsourcing a year ago because it made sense financially and didn't require hiring and training a security manager. In addition, he had to demonstrate exactly how secure his company was to clients who use his products to measure user behavior on their Web sites. Logs of users' activities are sent back to eBSure, which analyzes them and passes the results on to clients. So enormous numbers of logs have to flow in past the firewalls, while malicious data must be blocked.
Firewalls aren't network security silver bullets, however. Without a meticulous, well-documented security plan and a good overall infrastructure, firewalls merely provide the illusion of security. As an example of what not to do, Lucich says he was recently brought in to assess the security at a $2 billion company that had a $2,500-per-month contract with an Internet service provider to maintain a firewall on the company's front door, which controlled everything that got in or out of the networks. But he found more than 12 back-door vulnerabilities - things such as open ports and misconfigured routers. Anyone trying to break into a site typically goes for the unsecured parts first; hence, the firewall wasn't doing the company any good. A little detective work found that beyond the firewall, the company's security regimen was rather anemic. And, Lucich says, the service provider didn't wave any red flags to let the company know the limitations of a firewall-only approach.
Who takes the blame for such a lack of knowledge? Many companies are being led down the wrong path by vendors that claim to sell security but really sell only point products, says Lucich.
Ziegler agrees. When he accepted bids for securing his company and performing intrusion detection, he says, many vendors weren't looking for patterns - known holes in SMTP servers. "They were basically selling stopping a ping or someone coming in at the firewall level as if it was intrusion detection," he says.
Companies are learning. Mitch Hryckowian, senior director of security and infrastructure at Interliant Inc., an application service provider and hosting company in Purchase, N.Y., says that until recently, only 75 percent to 80 percent of customers would ask for a firewall. That has changed. "Now it's to the point where I don't know any customer that doesn't ask for a firewall," he says.
Outsourced firewalls can also be the foundation for security insurance or intrusion detection monitoring. Just as homeowners can contract with security companies to protect their house, so, too, can companies contract with monitoring services to watch their networks - routers, switches, firewalls, network traffic and such. "There is no one who can ever say you're 100 percent secure and can never get broken into," says Lucich. The goal is to manage risk and respond rapidly to minimize overall damage when break-ins do occur, he says.
Ziegler evaluated both outsourced firewall and intrusion detection providers and selected Riptech Inc. in Alexandria, Va., to handle firewalls and provide full-time monitoring to determine in real time when his network is under attack. "They were extremely price competitive with any other alternative," he says.
The benefit for Ziegler is that outsourcing provides more security muscle. "It just takes a rifle shot for someone to come in, and it's easy if you're focusing on the wrong areas," he says. Ziegler annually reassesses the decision to outsource, but so far his costs are less than having to hire a full-time security expert, he says.
When contracting to outsource firewalls or monitoring, the devil is in the details. Search for vendors that want to work with companies and not just sell goods, says Lucich. "When someone comes in and says they're going to secure you and they don't ask to see your policies and procedures, kick them out, because they don't have your best interests in mind," he says.
Ziegler hired an independent penetration testing company to initially test eBSure's site and has the company recheck it about every six months. "I feel that's the only way I can really validate the security and that the company we're hiring is actually consistent with the skill level of the penetrators," he says.
No company can really guarantee 100 percent security. "Anyone who guarantees that is a fool," says Ziegler, who acknowledges that eBSure has had "a couple of close ones" in the past year.
About six months ago, for instance, "some [commercial] software had gotten inside our house and was actually a Trojan horse sending data to somewhere else. And it was noticed by Riptech within four to five minutes of the time data was first going to a host other than ours," says Ziegler. The data was being sent to a server owned by Ashburn, Va.-based UUNet Technologies Inc.; UUNet was unaware of what was going on. A phone call cleared up the problem and started an investigative trail that led to the apprehension of the hacker.
For Ziegler, the incident proved the value of having a lot of security experts watching his network. "Riptech detected [the intrusion] and, immediately, we had a professional on the other end of the phone talking us through it," he says.
Sidebar: Outsourcing Advice
Companies can outsource part or all of their security infrastructure and monitoring to save money. But John Lucich, international president of the High-Tech Crime Network, recommends that companies proceed cautiously and advises them to take the following steps:
1 Realize that managing security is about managing risk. Break-ins will happen.
2 List and prioritize everything that must be secured, such as people, technology, facilities and knowledge potentially lost with employee turnover.
3 Write a thorough security policy.
4 Find the technology to implement and enforce the policy.
5 Think about outsourcing some or all security to save money. Firewalls are a good place to start.
6 Consider subscribing to intrusion detection monitoring services to monitor networks and respond to attacks in real time.
WORKING WITH VENDORS
1 Find vendors that ask to see the company's security policy before they make any recommendations.
2 Use established security players. Beware of hardware vendors that have recently relabeled themselves as security experts or intrusion detection firms.
3 Get references, no matter what. If vendors' customers are too security-conscious to talk, have them call you directly. Find out exactly how well the outsourcer has dealt with attacks against its customers.
4 Get the proposal in writing.
1 Penetration testing is expensive. To make sure the network really is secure, do penetration testing only after the outsourcer claims to have secured it.
2 Hire a third-party firm to do the initial penetration testing. Continue to get third-party penetration testing every six months.