Firewalls stand the heat

Firewalls stand the heat

Abstracts of Recent Articles and Literature hackers made use of an outdated administrator’s account and a dial-up server to access other servers that...

124KB Sizes 3 Downloads 114 Views

Abstracts of Recent Articles and Literature

hackers made use of an outdated administrator’s account and a dial-up server to access other servers that had weak or no passwords. Had the account been disabled then it is unlikely that the attack would have succeeded.The attack is being investigated, but apparently the hacker installed vulnerability detection software to probe for further security holes. LQ~lilork :%~ra, 28 October, 1998, p. 4. Microsoft backs feds’ encryption standard, Lt71w7 DiDio. Microsoft has announced that Windows NT will support US government-mandated cryptographic standards, FIPS 140-I and Fortezza by the end of the ycar.The NIST released FIPSl40-I in June 1997, and the US government had mandated that after that time, all agencies and companies doing business with them should acquire only encryption products that supported FIPS 140-and FIB compliant standards. According to Karan Khanna. Microsoft’s Windows NT security product manager, the company will bundle support for FIPS 140-I and the Fortczza specification (part of the NSAS Multilevel Information Systems security 1nitiative)at no cost in Windows NT. However, as fifteen months have already passed since compliance to FIPS 140-I was mandated, Microsoft has lost out on contracts to its rivals because NT, Internet Explorer and Internet Information Server have not supported FIPS 140-I. An added incentive for Microsoft to become compliant is that ANSI is considering basing new cryptographic standards for financial institutions on FIPS 140-I. Cot~l~l~tert~~orl~, Septcttdw 7, 1998, 11. 17. Firewalls stand the heat, Guy Anths. Computerworld and Federal Computer Week carried out an attack test against the products of four leading firewall vendors. The products tested were the Axent Raptor Firewall 5.0; SCC’s Firewall for NT Version 3.1: NetGuard’s Guardian and Compaq’s AltaVista Firewall ‘9X. Attacks were carried out by three teams, from Deloittr & Touche, Ernst & Young and Security Design International. Although the products performed much as advertised. protecting internal systems from penetration; all the attack teams gleaned useful information about the systems behind the firewalls, and there were problems with the performance of the firewalls as a result of inherent flaws, flaws in the operating system

716

or suboptimum configuration by the user. One of the firewalls, although not penetrated, was knocked out by a denial-of-service attack using the freeware attack toolTarga, and a second machine only withstoodTarga as it had the very latest NT security patches applied. “If you’re going to use technology that forces all nctwork traffic through a choke point - and for good reason - you’d better make sure it stays up in the face of adversity,” commented Bob Stratton, Security I>esign International’s vice president of technology. The teams also learnt more about the systems behind the firewalls than should be allowed in the interest of xcurity. One team was able to learn the identities of the LAN server and services running off it, the address of the internal network, and the status of various NT ports. “You gather bits and pieces of information that by themselves seem innocuous, and all ofa sudden you can build a picture of what this thing looks like,“. “The more information you have. the higher the likelihood that eventually you’ll be successful.“, commented Fred Rica a partner with Deloitte & Touche. A firewall may even confer a false sense of security by causing users to overlook flaws in the underlying operating system, particularly Windows NT, said Stratton. The denial-of-service attack succeeded because of a flaw in NT that could have been fixed if the user had applied the latest patches. ‘yust because you have a corporate policy for NT on the desktop doesn’t mean you should have it on your tirewall” , said Stratton. Co~r~~z~f~x~or~~,September 7, 1998, ~>jx62- 64. Data protect and survive, Nirk Fmxll. UK companies risk prosecution if they do not review their intranet and IT security in the face of the new Data Protection Act that comes into force next year. Under the new act, the UK government’s security standard US7799 is a minimum standard, which requires the establishment of a security policy, the appointment of a security manager and the detailing of approaches to every type of security breach. prior to the installation of security software. Despite this, a Department of Trade and Industry survey conducted in 1997 indicated that only 15% of companies were using BS7799 and 75% of companies had never heard of it. One significant change in the legislation from the 1984 Act is the ban on the export of data to countries that do not