Hardware & Infrastructure
Commentary
2/16/2006
04:30 PM
Fred Langa
Fred Langa
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Langa Letter: How Much Protection Is Enough?

oo much or too little online security can lead to a world of trouble. Here's a solution.

Protecting The Back Channel
But there's more to a multilayered defense than simply providing backstop protection. For example, most hardware/firmware firewalls don't do much, if anything, about protecting the outbound side of a connection. They have no way of knowing if a port request from a desktop machine is legitimate or spoofed by a Trojan, a virus, or a worm. (In fact, Blaine's attack could have been the result of just such an attack, where malicious code on his system fooled his firewall into opening a port.)

So, many users employ a multilayer defense that also guards the outbound channel:

I'm an MIS/network-support engineer at a major distribution company. I have a Linksys router, and I run ZoneAlarm on all of my PCs as well. The reason for this is that even though Linksys acts as a firewall, it doesn't block any information from being sent out of your computers. If you happen to download a program that contains spyware, the Linksys router won't do anything to stop those packets from being sent out. ZoneAlarm does. It will allow virtually nothing to enter or leave your computer without your permission and works perfectly well with Linksys systems. Of course, you should still run antivirus software as well.
--O'Leary

While Blaine and O'Leary both use a combination of hardware and software firewalls, you can achieve the same effect just with software. For example, I distribute Internet access across my office LAN via WinProxy running on a dedicated server. WinProxy includes a software firewall to protect the inbound leg, but I still use ZoneAlarm on my desktop machines. It acts as a secondary firewall to block any inbound attack that makes it through the main firewall (as in Blaine's case). And (as O'Leary pointed out) it also can flag any outbound attempt by any program to access the Internet. Should a Trojan application or spyware end up on my machine, ZoneAlarm will alert me to any attempts by the hostile application to establish an outbound connection and let me block the attempt.

In this way, multiple layers of defense can buttress each other and improve your overall security.

Two Big 'Ifs'
But there are two big ifs: Multiple layers of defense are better than single layers only if they truly complement each other and if they don't interfere with each other.

By complement, I mean that they shore up each other's weaknesses. For example, a segmented LAN that uses a number of the same kind of routers, firewalls, etc., throughout the network does not--repeat, not--have a true multilayered defense. Conceptually, this is like having many locked doors, all of which are vulnerable to the same lock pick. Any attacker who can break in at any one point will be able to exploit the same weakness to attack other points in the LAN.

A truly effective multilayered defense is one that requires attackers to start from scratch at each layer and employ different break-in strategies. The harder it is, the less likely it is the attackers will succeed. Even if they're determined to try, the extra time it takes them to work through the layers is time during which you can detect and stop the intrusion.

Going Too Far
But make no mistake--a multilayered defense can go too far. That's where the issue of interference crops up. In cases where people run multiple firewalls, intrusion monitors, antivirus tools, etc., on the same PC, they can run into trouble because the apps may compete to "own" the processes they're designed to monitor.

This is perhaps easiest to see in the case of antivirus tools. In my own case, WinProxy offers some limited antivirus protection for the LAN as a whole. It runs on the server and does its own thing there. But separately, I run Norton AntiVirus on my desktop PCs. Because neither tool is working on the same data at the same time or on the same machine, they coexist well and buttress each other. Anything that gets by one is caught by the other.

But if you install multiple antivirus tools on the same PC, they can end up stepping on each other's toes. I saw this recently when I was asked to troubleshoot a problem PC in a school's administrative office. The machine was balky, unstable, and very slow. It had a number of problems, but the worst was that some well-intentioned soul had installed both Norton and McAfee antivirus tools on the system and set both to check for viruses each time any file was created, downloaded, opened, or saved. As a result, with almost any disk activity, both apps would try to grab and process the same file at the same time. The system was mired in file-contention hell.

You can run into the same kind of problem with other protective tools such as software firewalls. Adding, say, BlackIce and ZoneAlarm to the same system probably isn't worthwhile and may be downright counterproductive. You're asking for trouble by having two apps simultaneously trying to monitor, process, and log a single system's Internet activity.

Fortunately, the issue of interfering tools usually doesn't arise when the protective technologies are carefully chosen and split, with some residing on the local desktop and the rest residing in external routers, servers, and firewalls. Because the tools operate independently, they can coexist well and provide more security than either could alone.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.