Car owners using keyless remote locks trust that the button isn't going to pop a door open as they stride away. If only banks and credit unions could be as secure about their own firewalls when they power up the servers, according to IP security assessment firm Redspin.
In a collection of audits conducted at banks and credit unions in 2006, Santa Barbara, CA-based Redspin found common-and usually unintended-shortcomings in firewall configurations, or rulesets, that govern allowable activity on the network. Rules meant to monitor or prevent outgoing data traffic were rendered ineffective at up to 30 percent of institutions, thanks to redundant or conflicting configuration errors, paralyzing complexity or typos. Redspin also found 77 percent were in violation of organizational security practices, such as the scarlet-letter sin of hosting a public Web service on an internal network.
It's not a problem that's elevated to the point of examiner concern, but configuration woes are becoming a more prominent maintenance headache for IT as well as a major hindrance to operations when swapping out providers or moving firewall services in-house. "The biggest problems have been simply in these large rulesets that have accumulated over the years, and become difficult to audit and make sense of," says Eric Maiwald, senior analyst with The Burton Group.
The industry has not "had a close look at these firewall configurations," adds Redspin president John Abraham. "So I think that nobody knows it's been a problem."
After years of additions, adaptations, changes and patches to firewalls, it's not unusual for banks to have 200, 300 or even 500 strings of configuration code-or Access Control Lists (ACLs) - that contain network addresses, protocols, and vendor-specific commands. The problem isn't the individual ACLs, but their order and interdependencies. A jumbled configuration becomes more acute when different types of traffic are added to the network. "It's not just Web traffic over port 80," adds Maiwald. "It's now peer-to-peer, it's IM, you name it-it can all be tunneled over HTTP, and a standard firewall configuration doesn't help us there."
How have banks allowed these holes? More from blinders than blunders. IT executives have used "checklist" audits from vendors or accountants that attest to presence, not effectiveness, of a firewall, Abraham says.
Inattention to ACL interaction is what Redspin discovered as the prime culprit in security audit glitches for 34 financial services companies, none of whom were named. For example: a default rule allowing traffic between two addresses would override any subsequent rules an administrator may have introduced to shut down the permission, says Abraham. With a library of nullified or non-working rules, firewalls are a drained moat that goes unnoticed by IT security. Redspin is offering a free configuration analysis tool on its Web site in May to institutions.
For banks that do stay atop of firewall configurations, it's a daily challenge. At the $600 million American Business Bank in Los Angeles, network administrator Hector Lopez hustles through logs and patch updates for operating systems and applications, which may include inconsistent structures for commands and features for the firewalls. "We have a couple of switches running different versions of the operating system, so it's knowing the syntax for each [one]," Lopez says. "One will use an underscore, one won't use an underscore...some use a shorthand version, some don't; and some commands have different variables that go along with them, along with different sub-commands." Couple that with project deadlines, and "you have to try to remember those kinds of things on the fly," Lopez says.
Unintentional mistakes aren't all to blame. Often a configuration change may be ordered up to accommodate a new business-line or end-user network requirement-a case where a choice is made between a possible security threat vs. a critical business need. Of the three in four banks that Redspin found violated a best practice security faux pas, 38 percent were improperly hosting services on internal networks, and 65 percent failed to include an egress filter to monitor and halt possible malware activity.
"You end up with this pressure where security folks say this is what we want to allow out, or we want to understand what's allowed out," says Maiwald, "but on the other hand, they have pressure from the business or the user community who say 'we need to do this.' At some point, business wins."
Even if there are no signs of firewall breakdowns, Maiwald says, banks remain vulnerable so long as they remain in the dark. "You now can have rules in your system that you don't need that might open up doors to intruders, especially if these are inbound rules," says Maiwald. "The rulesets need to be rationalized and better understood."
