Is the firewall obsolete? Probably not, but current implementations were never designed to cope with the threats posed by Webmail, various social networking tools, and even popular corporate collaboration applications like SharePoint and WebEx.
"If all we had to do was block the application, this would be easy. But in many cases, business needs them," says Nir Zuk, CTO of Palo Alto Networks, a network security firm and firewall provider. WebEx, for example, is a great way of leaking data, he says, because it allows presentations along with file and desktop sharing. When files are shared they are not scanned for viruses or leakage.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
Even more difficult is the challenge posed by the use of Webmail and social networking tools at work. It's not clear how widely tools like Twitter and Facebook are used in business, but there is a measure of how much traffic on corporate networks is generated by Webmail. And it's more than you think.
Palo Alto Networks monitored traffic on the networks of more than 700 corporations, with an aggregate user base of between 1 and 2 million, over the first six months of this year. Hotmail was used by employees at 90 percent of the monitored compamies, Yahoo Mail by 88 percent, and Facebook mail (messaging, actually) by 79 percent. Facebook's usage per user was less than that of its two rivals, but that's changing: Facebook usage as measured by bandwidth consumption has increased by roughly 15 times since the spring of 2009, according to the survey.
Why is that a problem? "Organizations have built a Maginot Line on port 25 with defenses against malware, spam, and phishing," Zuk says, but none of that affects Webmail.
That's because corporate mail, such as Microsoft Exchange, is routed through the heavily defended port 25, whereas Webmail goes in and out via lightly defended ports 80 or 443, says King. WebEx also uses those ports, as does SharePoint.
While it's true that Webmail providers screen for threats, it's not at all clear how effective that screening actually is. When the volume of Facebook mail spikes, as it surely will, the number of threats hitting those lightly defended ports will soar. Given Facebook's terrible record of data leaks, it's hard to be confident that the company will do a better job of keeping out malware.
There's another business issue as well. Electronic communications of some employees in financial services and medical-related businesses are required by law to be archived for years, and data handled by those users must be secured. As Facebook usage increases at work, IT will have the additional burden of being sure that employees in regulated positions segregate business and personal communications.
That's why network security providers are developing so-called next-generation firewalls designed to do a better job of monitoring traffic. Broadly speaking, a typical firewall sees apps as either something used by the business or a threat. But social networking apps don't fit neatly into either category, which means firewalls need to be much more intelligent to screen for threats while still allowing useful, albeit non-standard, applications to run on the network.
The top underreported tech stories of 2010:
- Apple quietly became a key enterprise provider
- Server virtualization has stalled, despite the hype
- URL-shortening services gave hackers a new entry point
- The health care industry faces its risky ERP moment
- Deferred IT maintenance is a ticking time bomb
- Energy-efficient Ethernet has arrived, with real savings
- A major Internet security hole was finally plugged
- Social media messaging is getting around traditional firewalls
- Businesses are resisting the XBRL mandate
This article, "What you missed: Social media messaging is getting around traditional firewalls," was originally published at InfoWorld.com. Get the latest insights in network security issues and trends at InfoWorld.com.