The firewall threat you don't know

The corporate data leaving your network through the firewall might be more troubling than what's trying to get in

What a firewall is and what it does are widely known to technophiles and technophobes alike. The purpose of a firewall has been burned into the head of just about every person who uses the Internet, and the thought of functioning without protection from the bad people is sheer lunacy.

However, nearly all firewalls are unidirectional. They may protect you from nefarious pokes and prods from the nether regions of the Internet, but they'll happily ship out any data you send from the inside. Only at the higher levels of enterprise IT do you see active filters for data leaving the network.

[ Also on InfoWorld: Roger A. Grimes argues you don't need a firewall. | Get expert networking how-to advice from InfoWorld's Networking Deep Dive PDF special report and Technology: Networking newsletter. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]

I'm not talking about facilities that prevent access to certain websites based on content or filters that block peer-to-peer applications. I'm talking about devices that actively block or issue alerts when anomalous data is passed through the firewall from internal hosts. For instance, it's unlikely that anyone working in engineering and design firms in Peru would send lots of data to Chinese sites. If a filter or network traffic monitor spotted this unusual activity, it's possible those firms wouldn't have lost tens of thousands of blueprints to an unknown Chinese organization. But their firewalls blithely allowed sensitive information to escape.

We're in a place now, technologically, that's fueling an uprising of internal threats -- not just from viruses and whatnot, but espionage. There's been some recent concern that computer hardware produced in foreign countries may contain Trojans burned into the chips, allowing anything from remote control of sensitive devices to keylogging or providing a wider backdoor into the network.

Make what you will of this claim, but don't think for a minute it's not possible. The fact these allegations are in dispute does not detract from the certainty that what they describe is technologically feasible. The only way to fight this kind of deep intrusion is by carefully inspecting what leaves the network. I bet the vast majority of the corporate infrastructures in place today have little to no visibility of this kind, and the people using them may not even realize the threat.

But how does one gain control over outbound traffic? Locking down the inside of your firewall at Layer 4 does next to nothing to prevent data leaks, even if you explicitly block IP ranges belonging to foreign countries or competitors. Creating and maintaining such a blacklist is a fool's errand, as it's trivial for a data collector for a German-based bad actor to work from within the United States, running on a cheap VPS somewhere near Los Angeles. As the United Kingdom has discovered, IP blacklists are essentially useless.

The only way to truly get a handle on this is by using deep packet inspection and peering into every packet as it heads out of the network. Devices such as NIKSUN's NetDetector do exactly this, and they can be configured to send out notifications when passing traffic matches certain patterns, contains certain files, or even show up with specific text strings. Naturally, the use of heavy encryption can evade some of these triggers, but if suddenly there's a flurry of encrypted traffic heading to an unknown IP address in Guam, it might bear closer inspection. You can immediately identify the internal source since you have the packet stream in its entirety.

1 2 Page 1
Page 1 of 2