Smarter firewalls needed for sophisticated security threats says Microsoft

Company says 95% of intrusions could be stopped by better configuration

Ninety percent of internet users asked in a Computer Security Institute survey in 2002 said they had detected a security breach of some kind affecting their ICT systems, according to Microsoft technical specialist Nathan Mercer, speaking at the Connect 05 conference last month [April]. A Computer Emergency Response Team (CERT) report in the same year said as many as 95% of these breaches could have been avoided with a different firewall configuration, says Mercer.

Organisations should therefore look carefully at their ability to configure firewalls appropriately. Particularly, those considering for extra security having two firewalls from different suppliers should ask themselves if they have the skillset to configure both, says Mercer.

Many “traditional” firewalls, with only a low-level packet-scanning capability are open to advanced attacks at the application level. Security is a complex area to manage and “IT is already overloaded.” There is often a perceived trade-off between security and performance, particularly with limited bandwidth.

The main topic of his address was a run through the features of Microsoft’s ISA Server 2004, an application-level firewall with VPN capability and an inbuilt web cache, minimising HTTP traffic from the outside world.

He used the presentation, however, to discuss general features of firewalls. Packet-filtering firewalls are fast but employ unsophisticated inspection. Even more advanced “stateful inspection” firewalls cannot make intelligent evaluations at the application level, he says. If a flow of packets “looks like normal traffic” it will often slip through.

Particularly insidious are SSL-based attacks, which use the HTTPS protocol to sneak in an encrypted packet which a conventional firewall would take so long to decrypt, inspect and re-encrypt that it would affect performance.

ISA Server 2004 is an illustration of Microsoft’s “secure by default” paradigm in that “out-of-the-box” it allows nothing through. Rules have to be specified to allow through traffic related to specific applications.

The previous version, ISA Server 2000 was founded on a simple networking model with fixed “inside”, “outside” and “demilitarised” zones and a packet filter only on the external interface. Modern firewalling, as implemented in ISA server 2004, caters for several networks within the organisation, each capable of having its own security policy and packet filtering on all interfaces.

The new firewall has an "extremely powerful" filter for remote procedure calls, says Mercer. By default, it will only allow RPC endpoints. It will deny many arbitrary DCOM object invocation routines, including certificate issuing (that part of the filter will have to be temporarily turned off to distribute genuine certificates). It disallows Microsoft Operations Manager (MOM) agent install and any application that uses DCOM.

Microsoft has also tried to simplify the user interface and has introduced “wizards” and templates to simplify setup and configuration.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaComputer Emergency Response TeamComputer Security InstituteMicrosoft

Show Comments
[]