Weaker Than You Think

The pitfalls of desktop firewalls and browsers (even with Javascript turned off)

December 21, 2006

3 Min Read
NetworkComputing logo in a gray background | NetworkComputing

5:02 PM -- The security industry tends to be plagued by a lot of experts on yesterday's issues. In the last three or four years the industry has gravitated toward network security devices like IPSes, IDSes, security information management devices, and the like.

I've heard a lot of experts on those older issues talk about the recent Web application security vulnerabilities and browser issues with a bit of contempt in their voices. It's as if they find computer security to be less important than enterprise security, without really understanding that the two are completely correlated. The most common fallacy is that large companies feel they are protected because they have a firewall.

The modern enterprise no longer looks like an onion, it's far more complex.

Take a look at a modern enterprise network -- it is not only highly interconnected but it also has many entry points, the most frequently overlooked of which is the laptop. Laptops have a firewall and antivirus software on them, but does that actually protect them? More importantly do those small software applications protect your enterprise? Why should it matter?

I'll tell you why: Enterprises are treating laptops like firewalls, and those firewalls are easily circumvented.

The second big fallacy at work today is if you turn off JavaScript, your browser is protected. That may protect you from JavaScript-initiated attacks, but it certainly does not close all attack vectors. It doesn't stop session riding, cross-site request forgeries, and surprisingly it doesn't stop your browser from being used as an Intranet host scanner. And the security community has recently discovered that JavaScript is not required to know where people have visited (and potentially, where they have logged into) as well as hosts on their Intranet.

These two distinct but related fallacies create a false sense of enterprise security. Really, your mobile employees are the most likely to introduce seemingly invisible holes in your network, and there is nothing your firewall can do about it. The same domain origin policy has been broken. Browser security can no longer be relied on when software firewalls and antivirus are helpless to protect your employees. Maybe gopher is looking like a good option right about now. Regardless, it's time to start looking to putting your users in their own DMZ, isolating any mobile users on their own subnets and hardening your Intranet.

More bad news: It's going to get worse before it gets better. The browser community is years away from fixing this issue, so until then it's best to harden the network as much as possible. Unfortunately, that often requires expertise that most companies don't have and can't afford, since good Web application security experts are extremely difficult to find and expensive.

I guess those Web application vulnerabilities and browser issues aren't as trivial as some people might have previously thought.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

Read more about:

2006
SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights