We re Secure, We Have a Firewall | Web Hacking: Attacks and Defense

"We're Secure, We Have a Firewall"

If only we had a nickel for every time we've heard a client utter these words. We'd probably not be writing this book; rather, we'd be sipping Pi a Coladas on some white sand beach by now and .

If you're skeptical, all warm and cozy next to your firewall, just remember this: Over 65% of reported attacks occur via TCP port 80, the traditional Web port (http://www.incidents.org). Is the threat to the Web real? You bet it's all too real.

To Err Is Human

In the course of performing hundreds of security reviews over the decades, we learned what you are about to learn (if you don't already know it): Nothing can be truly secure. Error is at the heart of every security breach and, as the saying goes: To err is human. No level of firewall, intrusion detection system (IDS), or anti-virus software will make you secure. Are you surprised that this type of comment introduces a security book? Don't be. It is the harsh reality that must be accepted before the race to security can be started.

So what should you do, just throw up your hands, turn off the power to your computer and ignore the Internet, the modem, and the computer? Sure, you can do that but you would be alone in your efforts. The Internet and all it has to offer is undeniable: increased communication and information sharing, connecting with people of all races, creeds, colors, sexes, and intelligence without boundaries or limits. And those are just the home users' benefits. Businesses use the Internet 24 hours a day, 7 days a week, making money and transmitting funds around the world at the blink of an eye. Anyone who denies the ubiquity and staying power of the Internet is just kidding themselves.

Writing on the Wall

More than three years ago, one of the authors of this book wrote a foreboding article that was indicative of things to come. Printed on August 9, 1999, it was titled "Bane of e-commerce: We're secure: We allow only Web traffic through our firewall" (http://www.infoworld.com/articles/op/xml/99/08/09/990809opsecwatch.xml). The article warned of flaws in the security wall at that time, but no one wanted to believe it, much less talk about it. Everyone seemingly was too caught up in either hyped technologies, such as Firewalls, IDS, and virtual private networks (VPN), or peripheral technologies that never hit mainstream, such as Public Key Infrastructure (PKI), Distributed Computing Environment (DCE), and single signon.

So why the tremendous interest in the Web and its security now? Because hacking events occur frequently in today's connected world. And people are beginning to understand how a single vulnerability in a Web application can expose an entire company's information system to an attacker (a.k.a. Code Red and Nimda worms).