Friday, July 13, 2012

Between a firewall and a hard place


Primer

A computer's firewall is a security program that limits communications with the world outside of the computer. Much as its namesake in a vehicle separates and protects the passenger compartment  from the  engine compartment's dangerous heat and moving parts, a computer's firewall aims to secure and separate it from dangerous communications that carry parasitic and destructive elements such as viruses, worms, and trojan horses. 


Many computer security products include a software firewall in addition to antivirus and other tools. Simply put, it consists of an engine to analyze communications against a list of rules.

The issue

A personal computer's landscape is expected to change over time. New programs and capabilities are added, updates to existing programs are installed, or perhaps new staff members are assigned. [By the way, not all capabilities, programs, or staff members are equal. There are insecure capabilities and programs, as well as demon programs and demon users. Some become so tightly integrated into the fabric of a business that they are simply endured. There's an old saying about it being better to deal with known problems than trading them for someone else's.]

New threats also emerge, so many that signature-based antivirus is becoming overwhelmed, and when that happens a computer's performance can suffer. Cloud-based antivirus can help, but that's another issue.

Whether a computer's landscape changes, or the Internet changes, security requirements change also, and this affects a firewall in very fundamental ways.

Logically, then, disabling a firewall increases the attack surface of a computer, opening it to potentially unwanted communications from outside. This can be dangerous to both a computer's health and its owner's financial health. Incoming probes against a computer typically search for unsecured services and software vulnerabilities through which they can either infect or manipulate. Unwanted outgoing communications can be a parasite sending off confidential data, requests for instructions or targets, or to bring in additional, destructive software. So limiting outgoing (egress) communications has some distinct benefits if a computer happens to become infected.


A good firewall can provide a way to safely adjust to an evolving operating environment. When a new communication source is noted, a firewall can either deny it outright, or better yet ask for additional input to make a new rule (dynamic ruleset). The goal is to determine whether a trust should be established. Since the computer isn't smart enough to determine trust, a pop-up appears on the display asking for direction from the smarter operator.

The challenge: Common Sense


And so you would expect that the operator would be able to answer a simple question about trust. People are familiar enough with day to day operation of their computers that they could answer the question properly more than 8 out of 10 times. But the rub is that many firewalls don't allow the operator to answer the questions they pose. I'm reminded of the child who holds hands to his ears and shouts "I can't hear you!" over and over. And my answer to that is "why on earth did you ask if you aren't going to allow an answer? Yes, I talk to computers. Fortunately few talk back, but again I digress. 


It is summarily ridiculous to require that users also run at elevated levels (administrator accounts) in order to answer the firewall software's prompting for guidance. How many times have we been told that administrator accounts are far less secure for day-to-day operations? Are you listening ESET? Kaspersky? Productivity also suffers, and users, managers and small business owners quickly assume that the firewall is simply too annoying for prime time, and that IT may not know its business too well. Nobody likes to take a beating, and so the firewall is turned off, or user accounts are promoted just to avoid the annoyance. Both are bad situations. I promise, it happens in IT departments all over the world. 


This failure to interact with a normal user may be a technical limitation, but it would seem to my college-educated brain that it doesn't make sense for security products to effectively compromise security in the quest to create a protected environment. Perhaps it's just the natural selection process... bad products suffer when their designers make bad choices. And then again, maybe some of the blame for this should be laid at the feet of another entity that will be probably out of the consumer operating system industry, sooner as opposed to later. 

Alternatives

Because the purpose of a firewall is to impose limits on network communications, alternatives exist that will limit the attack surface of a computer or network to a list of safe Internet neighborhoods and companions. The fact that other layers of security can replace the firewall is a boon to IT people. Proxy servers, web filters, and DNS services such as OpenDNS can serve this purpose. While I still recommend use of firewall products, this last service in particular has done much to help keep my family safe from unwanted trips to the Internet wasteland, and gets my firm nod of approval.

No comments:

Post a Comment