The firewall threat you don’t know

What a firewall is and what it does are widely known to technophiles and technophobes alike. The purpose of a firewall has been burned into the head of just about every person who uses the Internet, and the thought of functioning without protection from the bad people is sheer lunacy.

However, nearly all firewalls are unidirectional. They may protect you from nefarious pokes and prods from the nether regions of the Internet, but they’ll happily ship out any data you send from the inside. Only at the higher levels of enterprise IT do you see active filters for data leaving the network.

I’m not talking about facilities that prevent access to certain websites based on content or filters that block peer-to-peer applications. I’m talking about devices that actively block or issue alerts when anomalous data is passed through the firewall from internal hosts. For instance, it’s unlikely that anyone working in engineering and design firms in Peru would send lots of data to Chinese sites. If a filter or network traffic monitor spotted this unusual activity, it’s possible those firms wouldn’t have lost tens of thousands of blueprints to an unknown Chinese organization. But their firewalls blithely allowed sensitive information to escape.

We’re in a place now, technologically, that’s fueling an uprising of internal threats — not just from viruses and whatnot, but espionage. There’s been some recent concern that computer hardware produced in foreign countries may contain Trojans burned into the chips, allowing anything from remote control of sensitive devices to keylogging or providing a wider backdoor into the network.

Make what you will of this claim, but don’t think for a minute it’s not possible. The fact these allegations are in dispute does not detract from the certainty that what they describe is technologically feasible. The only way to fight this kind of deep intrusion is by carefully inspecting what leaves the network. I bet the vast majority of the corporate infrastructures in place today have little to no visibility of this kind, and the people using them may not even realize the threat.

But how does one gain control over outbound traffic? Locking down the inside of your firewall at Layer 4 does next to nothing to prevent data leaks, even if you explicitly block IP ranges belonging to foreign countries or competitors. Creating and maintaining such a blacklist is a fool’s errand, as it’s trivial for a data collector for a German-based bad actor to work from within the United States, running on a cheap VPS somewhere near Los Angeles. As the United Kingdom has discovered, IP blacklists are essentially useless.

The only way to truly get a handle on this is by using deep packet inspection and peering into every packet as it heads out of the network. Devices such as NIKSUN’s NetDetector do exactly this, and they can be configured to send out notifications when passing traffic matches certain patterns, contains certain files, or even show up with specific text strings. Naturally, the use of heavy encryption can evade some of these triggers, but if suddenly there’s a flurry of encrypted traffic heading to an unknown IP address in Guam, it might bear closer inspection. You can immediately identify the internal source since you have the packet stream in its entirety.

To dive further down the paranoid trail, there’s still the matter of pesky embedded Trojans. Imagine a scenario wherein a major hardware manufacturer unknowingly included chips with Trojans in the firewall product itself. You could view every single piece of traffic heading through the firewall, but unless you’re watching both sides, you might miss the fact that certain data is being copied on its way across the device and sent to another site. A carefully constructed siphon like this might even buffer interesting data internally, releasing it in slow, steady streams during lulls in normal traffic flows to further reduce its visibility.

Venturing along that same trail, we might envision embedded hardware doing this, but the data might go through cell data providers so that there’s no trace of its existence within the company’s infrastructure. While some data centers have little or no cell reception, far more do. This is the stuff of nightmares for corporate IT security folks.

As in so many facets of IT, to be forewarned is to be forearmed. The quest for true network security and visibility is an ongoing struggle, and even with all the notice in the world, there’s no winning this arms race. But that doesn’t mean we can just quit. If you’re not watching your outbound traffic now, plan on doing so as soon as possible. Whether you start with something as “simple” as NTop or go for the big guns like the NIKSUN device, it’s a worthwhile investment of time and money — kinda like firewalls.

This story, “The firewall threat you don’t know,” was originally published at InfoWorld.com. Read more of Paul Venezia’s The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.