News

07:02 AM
Connect Directly
RSS
E-Mail
50%
50%

Weaker Than You Think

The pitfalls of desktop firewalls and browsers (even with Javascript turned off)

5:02 PM -- The security industry tends to be plagued by a lot of experts on yesterday's issues. In the last three or four years the industry has gravitated toward network security devices like IPSes, IDSes, security information management devices, and the like.

I've heard a lot of experts on those older issues talk about the recent Web application security vulnerabilities and browser issues with a bit of contempt in their voices. It's as if they find computer security to be less important than enterprise security, without really understanding that the two are completely correlated. The most common fallacy is that large companies feel they are protected because they have a firewall.

The modern enterprise no longer looks like an onion, it's far more complex.

Take a look at a modern enterprise network -- it is not only highly interconnected but it also has many entry points, the most frequently overlooked of which is the laptop. Laptops have a firewall and antivirus software on them, but does that actually protect them? More importantly do those small software applications protect your enterprise? Why should it matter?

I'll tell you why: Enterprises are treating laptops like firewalls, and those firewalls are easily circumvented.

The second big fallacy at work today is if you turn off JavaScript, your browser is protected. That may protect you from JavaScript-initiated attacks, but it certainly does not close all attack vectors. It doesn't stop session riding, cross-site request forgeries, and surprisingly it doesn't stop your browser from being used as an Intranet host scanner. And the security community has recently discovered that JavaScript is not required to know where people have visited (and potentially, where they have logged into) as well as hosts on their Intranet.

These two distinct but related fallacies create a false sense of enterprise security. Really, your mobile employees are the most likely to introduce seemingly invisible holes in your network, and there is nothing your firewall can do about it. The same domain origin policy has been broken. Browser security can no longer be relied on when software firewalls and antivirus are helpless to protect your employees. Maybe gopher is looking like a good option right about now. Regardless, it's time to start looking to putting your users in their own DMZ, isolating any mobile users on their own subnets and hardening your Intranet.

More bad news: It's going to get worse before it gets better. The browser community is years away from fixing this issue, so until then it's best to harden the network as much as possible. Unfortunately, that often requires expertise that most companies don't have and can't afford, since good Web application security experts are extremely difficult to find and expensive.

I guess those Web application vulnerabilities and browser issues aren't as trivial as some people might have previously thought.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed