Firewalls and DSL

By David M. Piscitello
Core Competence, Inc.

About a month ago, InternetNews-Intranet News posted a column, "Personal Firewalls Fail the Leak Test." In the column, Steve Gibson of Gibson Research blasted the personal firewall software industry for grossly overstating the security that software firewalls offer. Gibson's LeakTest utility, available for free from his Web site, provides a simple demonstration that corroborates Steve's claim that software firewalls "put most of their effort into blocking incoming hacker attacks, while paying only scant attention to what he calls internal extrusion."

LeakTest basically tests whether a trojan program, masquerading as a standard or trusted application is allowed to pass through a firewall. What Gibson attempts to demonstrate with LeakTest is that hackers can place malicious software on your desktop and use open outgoing ports to get past your personal firewall software. Or seemingly innocuous software you install can surreptitiously launch a back channel.

My first reaction to this column was to smile. Too many vendors overstate the effectiveness of their security products, and any vendor that promotes its security products as bullet-proof deserves egg on its face. But in this same column, Gibson said "Most people don't have any vulnerabilities; there's nothing a hacker can do to you. So I argue against the necessity of any kind of inbound blocking tool."

Granted, Mr. Gibson is addressing personal software firewalls for the mass consumer market: individuals who have cable and DSL modems and may naively surf and chat and exchange mail. All those who make use of the consumer Internet need only visit Gibson Research to learn simple and free ways to block inbound attacks on Windows-based computers, and hence, no tool is necessary. But the subtlety of personal firewall software for Internet-connected PCs versus firewall appliances, hardware, and increasingly, managed firewall services for business LANs in small, home and remote offices is too easily lost on the unwashed masses of Internet users who weren't weaned on the Internet and take comments from security experts to heart.

I worry that consumers with day jobs as small business owner-operators may conclude from Steve's remarks that their DSL-enabled small business LANs don't need firewalls. I confess that my awareness of just how desperately such businesses need firewalls was raised dramatically-and coincidentally-the same week the LeakTest column was published. I can think of no better way than a case study to demonstrate my point.

Case Study: Who Needs Inbound Blocking?
A good friend asked me about security and his office LAN. "Bob" is the president of a vacation rental agency on Hilton Head Island. His company arranges weekly and monthly rentals of homes, villas and timeshare units. He explained that he was concerned about the integrity and privacy of the personal and credit card information of nearly 28,000 families and individuals who had and continue to rent property through his agency.

At the time, Bob had a DSL connection, but only to his desktop PC. His PC was connected to the DSL modem, using NAT. His PC was also connected to his internal business LAN, through the same shared medium hub, using a single Ethernet NIC. The DSL modem only bridged packets to and from his desktop PC. Bob's business LAN consisted of a half-dozen PCs running various versions of Windows (whatever came with the PC). Central to the agency's business is a UNIX server running a rental inventory, management, and invoicing application.

This system is leased and maintenance is included in the lease; apparently, security is not. Applications are accessed via the root account and critical file systems, including the inventory, management, and invoicing databases, are world accessible. A simple port scan revealed over a dozen unnecessary services were enabled and listening. User accounts support an internal mail system, and the passwords are shared and posted on monitors. This is a classic example of the kind of configuration you are likely to find in most small businesses, where UNIX, internetworking, and security expertise is non-existent. It's the definitive target for attackers who "get root" for a living.

And it's a good example of why business LANs need firewalls. A firewall policy that at least denies all inbound connections is essential to the business integrity and long-term operation of businesses like Bob's. An attacker who gains root on this system can cripple the company by destroying or modifying its databases, and can use this system as a launch pad for other attacks.

Even if Bob's company has a sound archive and business resumption plan (ahem�), a well-timed attack during the peak vacation rental periods of June, July, and August could be devastating. Picture Bob and his employees with several hundred irate families and individuals who have been double-booked into the same villa, or whose rental record has been lost or cancelled. Then picture his rental agency one year later�

Interesting Story�but your point is?
In my February column for CLEC-Planet, in the aftermath of the DDOS attacks, I recommended that CLECs be proactive in security-their own and on behalf of their subscribers. Small businesses remain a strong market for DSL, and you can help this market by complementing always-on bandwidth with security. Consider a service offering that includes a basic firewall appliance from Linksys, Sonic Systems, UMAX or Watchguard Technologies, or a network-based firewall from Nortel, CoSine Communications, Quarry Technologies, or Lucent.

Provide education to your enterprise and consumer subscribers. I've posted a four-part series I recently published on Security and DSL connections, courtesy of Watchguard Technologies. I've also collected a number of useful resources on security and residential broadband at The Internet Security Conference (TISC) resources pages. Help your small business subscribers appreciate the need for firewall services by suggesting they use one of the many free vulnerability scanners I've identified at these same resources pages.

With the luster worn off DSL and the entire telecommunications market, it's important to avoid incidents and the concomitant bad press that hacking DSL and cable connections attracts.

How does the story end for Bob?
Security doesn't "end." To date, I installed a Watchguard SOHO firewall appliance between Bob's DSL modem and his entire LAN. I configured the firewall to block all incoming connections and block outgoing connections from the UNIX system-there's no reason for any connection to emanate from this system, and this will prevent any Trojan or backdoor that might already have been installed from "phoning home."

I scanned his DSL connection to confirm that the firewall configuration performed inbound filtering as we wished. I showed Bob how to read his firewall logs, and in January, I'll forward his logs to my logging host. Also, Bob has scheduled the leasing company to come inspect his UNIX system to see if any unauthorized actions were performed, and to do some basic OS hardening as well. This is a start, but of course I recommend on-going security vigilance for Bob -- and for all of your customers who are connected to the Internet with DSL.

David Piscitello is president of Core Competence, Inc., a network consulting firm and founder of The Internet Security Conference.