Network Computingwww.networkcomputing.com

Consider the new QoS (quality of service) products out there. For example, PacketShaper by Packeteer was created by smart folks who noticed the phenomena of network administrators with their hair on fire running around screaming "I can't believe my precious network is being flooded with this junk!" Those are the same smart folks who asked "What if I gave you a way to throttle that flood down to a trickle?" Yes, please. May I have another?

Consumers divert their money from savings, or worse, go into debt if they over indulge in impulse buying. Corporate IT staffers divert a more precious commodity--time--as they patch up issues, which at best are tactical, if they overindulge in endless, annoying upgrades.

Exposing Yourself While reading e-mail recently, I blurted out, "What the #@%*!" Everyon e around me looked up, and Paula, our long-suffering project manager said, "Oh, Brian's just having one of those days. You can tell by his hair."

OK, so my hair is frequently on end, but this day, it was more serious than that. I had just read what was the result of a particularly vicious hacker's attack on an associate's site. The hacker had gained access to the host and usurped the sender's e-mail and sent a vile stream of pornography to several of the victim's rather extensive mailing lists.

It seems to me that one of the most brutal consequences of getting hacked is the rest of the world knowing it happened. Talk about having the fear of God put in you. There, in painfully graphic detail was the result of a security lapse. The victim will have his work cut out for him as he attempts to reestablish his credibility. Jus t reading about this incident made me want to disconnect from the Internet right then and there, run a virus check, rip the NIC and floppy drive out of my machine and lock all the do ors.

I can hear you now: "But this could never happen to us, right? We've got our firewalls and we're safe behind them. This kind of stuff only happens to other people. Forget it even happened."

If that's your attitude, I bet you also believe that violent crime happens only in big cities. Personally, I don't want to forget the feeling I had as I read that trash e-mail. What I'd really like to do is capture it, and trot it out every now and again to terrorize network architects.

Imagine opening your e-mail and seeing the trash a hacker had sent out on your letterhead. I know this can't be the first time you've heard that firewalls, in and of themselves, aren't enough security. But most network administrators use a firewall and a "just say no" attitude and call it a security policy.

Unfortunately, the biggest problem is the one that will never cost anyone their job. The biggest problem is business as usual. The fact is, business as usual is an unsecured network cowering behind a firewall. Some call it a "hard, crunchy shell around a soft, chewy center."

In a way, the firewall is the worst thing that has happened to network security. It's like saying a seat belt will protect you, so you don't have to worry about how others on the road are driving.

Tom Pincince of NewOak Communications likens the firewall to the Pinkerton cop out in the lobby. If your building has a Pinkerton cop, it doesn't absolve you from having locks on the doors. And, if someone has an Uzi and is intent on getting into your office, that person will get past the Pinkerton cop one way or another.

Likewise, a firewall in front of your network won't help you if you don't have a comprehensive security architecture in place behind it. Make firewalls the last thing you add to a network, and only after you've secured what's there. And don't forget: Most security breaches are internal.

Forget Kerberos, IPSec and one-use passwords. Security is about managing risk--the never-ending, hands-on, constantly reviewed management of risk. Vendors can implement all the technology that the government will allow--or that vendors can agree on. But, the policy decisions of what level of risk to manage and what exposure to accept are yours and yours alone.

Brian Walsh is the founder of bwalsh.com, Portland, Ore., a networking and communications consulting firm specializing in Internet and client server product strategies, development and testing. He can be reached at www.bwalsh.com.