IPkey.com
information security
monitoring & management
Information Security Bulletin
January 2004
Feature Story:
News Years Resolution 2004: Trust (but verify!)
Happy belated New Year! This month we are getting serious about our health and trimming the fat. Don't panic! I mean the health of our digital immune system, and slimming down the bloated Internet bandwidth being sucked up by spam, unauthorized downloads, music sharing & streaming video!
Today, every business should have a firewall when connecting to the Internet. As you all know, a firewall executes rules (called policies) that control the flow of Internet traffic. Most firewalls have default policies that allow anyone on the inside (internal network) to get to anywhere on the outside (Internet), but do not allow outsiders to get to the inside. This basic filter worked well in the past, but times have changed. Today, firewall policies have had to become far more complex to deal with increasingly sophisticated threats. We now need very granular control over the type of Internet activity that employees can engage in because it has become so easy for them to inadvertently 'catch' something bad. In short, firewalls are no longer simple filters; they have become complex policy engines that should micro-manage outbound Internet traffic and authenticate and control inbound remote access.
So how do we know that these complex policies are working right? The answer for over 95% of us is that we just don't have a clue. We just assume it's working, and why shouldn't we? If we were in trouble, we'd know about it, right? <Buzzer> Wrong!
Here's why. Every time an employee freely accesses the Internet, there is a cost. That cost is the increased risk that each and every Internet access will introduce something bad into the corporate network. This cost is not trivial - US organizations spent tens of billions last year cleaning up the effects of malicious code. Even small business pays. Their employees' PCs slow down and start crashing because of the spam and Internet parasites they allow in. Giving employees unrestricted Internet access is effectively inviting more problems than you can imagine. We trust employees to use the web safely, but we don't verify.
We are also grappling with employee productivity losses due to Internet use. Personal email, online shopping, banking, bill pay, dating, sports scores, Instant Messaging (IM) are all distractions from work. Most employers I work with are inclined to trust their employees, but they do not verify.
As you can see, there is a whole lot of trusting going on, but no verification. Management often doesn't have clue what's really going on with the Internet.->
IPkey Hot Links!
Security
Solutions
Evaluation
Remediation
Monitoring
Management
Recovery
New!
InfoSecurity
Center
Welcome
to the
Information Security Bulletin. This is your source for the latest
practical information you can use to protect your organization's critical
information and
network services.
Marcus Clarke
ISB Editor
email me your opinions!
Managed
Monitoring
Start your
free
30 day trial today
Learn more
/
Register
or call
(866) 330-1010
-> That's the good part. The bad news is that trying to read this raw data is like trying to drink from a fire hose. To capture and process this data, you needs lots of disk space; some sites can generate over 1Gb a day of data. Furthermore, this complex software typically has to run 24x7 on a server with some type of industrial strength SQL database to maintain the data for reporting. This is not the type of software you can just slap on your PC.
A good reporting package 'distills' this huge data stream into something not only manageable, but also useful. When everything works, you end up with a set of reports that shows you exactly what going in and out of your network. Now most vendors of firewalls and security appliances offer some type of reporting software, but it only works with their products. By nature, I am uncomfortable validating a vendor's firewall with reporting software from the same company. I prefer to use independent third-party software, but until recently the only option was the enormously expensive ($3,500 per firewall) and very poorly supported package from NetIQ.
Of course, large corporations can easily afford to invest in this equipment and the expertise required to set it up, but small and medium size businesses have had no affordable alternative. This changed last fall when IPkey started beta testing software called Firewall Analyzer Enterprise from a New England company called eIQnetworks. This package promised the capability to remotely collect and process data streams from many firewalls on a central co-located server. We could now generate monthly, weekly or even daily reports and email them to our clients. For icing on the cake, they also offered an optional web browser interface so that clients could directly view an 'Executive Dashboard' that provides an overall, graphical picture of what was happening. This unique capability really excited us here; especially because this product works with virtually any business-class firewall.
The downside was that there were a lot of bugs that had to be worked out. We literally spent hundreds on man-hours working with the good people at eIQnetworks. We invested this time and effort because the product had so much promise. By Thanksgiving, the code was stable enough to begin offering this to our 'early adopter' clients who just raved about how valuable it was.
Today, our clients are able to see exactly what 's going on. For some, seeing these reports for the first time is something akin to an epiphany. Not only are many of their worst fears realized, but some they have never even dreamed of show up. Believe me, it IS better to know than to stay in the dark. I could tell you stories! Now, just who is doing what out there?
So trust and verify! More next month.
-> As the risks of un-managed Internet use keep rising, the costs of repairing security breaches, cleaning up viral and parasitic infections and lost productivity are impacting the bottom line in ways you don't even realize.
So how do we find out what's going on and verify our policies are being followed? The only way is to get meaningful reporting of all Internet traffic going in and out of your firewall. Great idea, but like so many, its far easier said than done.
The way we do this is simple in concept. Most firewalls can generate streams of log data (called Syslog) that detail every single session and event occurring at the firewall. ->
ISB Takeaway #1:
Now is the
time to review the computer, Internet and email policies used by your
organization. Your firewall policies should mirror these policies, and
your should be able to verify that they are configured correctly and working
properly.
ISB Takeaway #2:
A new trend is internal firewalling to separate business units within the
same organization. Network security and compliance requirements are making
this more common.
The ISB is a
monthly email newsletter published by
IPkey.com, your source for affordable information security monitoring
and management. IPkey.com is part of Meridian Group, a New Mexico
based corporation serving the IT needs of its clients for 14 years. We
encourage you to forward ISB to your co-workers, colleagues and
friends. To subscribe or unsubscribe to the ISB newsletter, email us
at isb@ipkey.com.
Past issues of this newsletter are available at IPkey.com
ISB Archive
I invite you to call or email me with your questions and comments. As always we are here to assist you with your Information Security needs.
Next Month:
Vulnerability Scanning.
All contents copyright (C) 2003 Meridian Group Inc.