July 9, 1997
By PETER WAYNER
The Problem With Firewalls
obert Frost once said, "Before I built a wall I'd ask to know what I was walling in or walling out." Unfortunately, many system administrators who put up firewalls to protect their companies never really ask that question, and it's one reason why Internet security is so bad.
Illustration: Christine M. Thompson / CyberTimes
The problem isn't that firewalls don't work; they usually do. But relying on them lets security in the rest of the infrastructure atrophy. And when they are used as a prophylactic against operating system bugs, it's like putting a bandage on a leg with gangrene. Some of the latest attacks on Windows NT and Windows 95 security can punch right though firewalls.
Many people and corporate security officers don't really understand the limitations of firewalls. The boxes simply read the data going past them and block out packets that don't fit a narrow definition of what is acceptable. Unfortunately, defining what is acceptable is almost impossible to do.
For instance, a company may decide to allow people behind the firewall to browse the Web. This means that data coming from and going to distant servers must be able to slip through the firewall. This is usually done by giving free passage to all traffic destined for Port 80 on a distant machine.
Once a hole is there, it can be exploited. Anyone who is able to install a trojan virus inside the perimeter protected by the firewall can get information back out by simply disguising it as a form request to a distant URL. The firewall, seeing an HTTP request for port 80, lets it go right through.
There is more and more pressure to punch holes through the firewall. People working at home have a need to access their data. New software uses more and different ports. Corporate security managers are caught between people in the office who want world-wide access and freedom of computation and those who want to keep the information locked up tight. As more tools are added, more holes appear -- and plugging them is impossible because of the fundamental limits of logic. But the real danger emerges when firewalls work, because it can make those who live behind them complacent. If a firewall is capable of blocking access that could exploit a simple bug in an operating system, the system administrators will often declare the problem solved. In reality, the problem is only masked, and it will fester.
For instance, when Microsoft was confronted with holes in both Windows95 and NT, it brushed them off when it discovered that a firewall would stop them. Rich Tong, the company's vice president for marketing, said, "Our recommendation to people who connect to the Internet without a proxy server: 'Get one as soon as possible.' "
When companies like Microsoft, Apple or Sun are slow to fix operating system vulnerabilities, arguing that the problem can be papered over by a firewall, they're throwing the vast majority of users to the wolves.
That's Microsoft's way of saying, "Let them eat cake."
A proxy server is a computer that stands in for computers protected by a firewall to protect the hidden computers from unwanted intrusion. Requests for information by the hidden computer are sent out over the Internet as if they came from the proxy server.
Of course, when a proxy server stops an attack, everyone pretends that the problem is solved. Unfortunately only the Hun at the gate has been thwarted. Attackers already behind the firewall -- that is, insiders -- are often discounted by security managers, even though many corporations could be devastated by internal attacks.
For example, in most companies, personnel records would be of much greater interest to employees than they would be to the rest of us on the Internet. Yet, the firewall only keeps out the rest of us.
When companies like Microsoft, Apple or Sun are slow to fix operating system vulnerabilities, arguing that the problem can be papered over by a firewall, they're throwing the vast majority of users to the wolves. Most Americans connect their home machines to the Internet through a direct dialup connection that opens them up to the Web at large. They can't afford a firewall to protect them, so their machines remain vulnerable.
Robert Frost's poem about mending the walls between his land and his neighbor's was a riff on why people used walls as an easy way to keep others at a distance. "He is all pine, and I am apple orchard," he wrote. "My apple trees will never get across and eat the cones under his pines, I tell him."
And there is yet another problem with firewalls: They slow productivity. When we use them as a cheap substitutes for a secure operating system, we block out new features that require a level of Internet connectivity not allowed people inside corporate environments.
A simple example: Computers' internal clocks are notoriously unreliable. There are several good applications that can reset them automatically each day by logging the time from one of a number of atomic clocks attached to the Internet at various research and military institutions. There are many reasons why large systems administrators would love to have every computer on their network be exactly in synch, time wise, but they can't open a port through the firewall for this kind of application. As a result, computers remain grossly out of synch until someone resets each one by hand, a task that is not only time consuming but error prone.
The second page of this column contains a Java applet that will allow you to probe any firewall you have. It simply tries to set up a connection with The New York Times's Internet servers through several different ports. Some firewalls will allow these connections and provide transparency. Others block the connection to discourage internal people from leaving the network.
Firewall Test Applet
If you are brave and feel like exploring, try it out. Warning: Because of apparent problems in the Macintosh Java virtual engine, this application can cause your browser to freeze on a Mac.
UNDERDEVELOPED is published weekly, on Wednesdays. Click here for a list of links to other columns in the series.
Peter Wayner at firstname.lastname@example.org welcomes your comments and suggestions.
Copyright 1997 The New York Times Company