From the April/May 2008 Issue
Deep-Penetration, a hacker’s nom de plume, had been to this network address before and she knew it well. The system was easy to access even with the low-end firewall installed on the router. Even if the firewall had blocked her ability to access the network, the person configuring the router/firewall hadn’t changed the default administrative password. She could have easily used this to access the network by simply looking in the User Manual on the manufacturer’s website.
The administrative password on the server was still the default password known to everyone, and no one installed Service Pack 2, which would have disabled the administrative account. It was easy pickings. Deep-Penetration had even figured out how to access the tax application that was installed directly on the machine she was using to connect to the internal network. She enjoyed looking at all the personal financial details.
On previous visits, she had found several high net worth clients who had more than one million dollars in income. This time, Deep-Penetration was back for a reason. She had seen a posting in a hacker forum saying that a hacker going by the name of ID-ME was paying $600 per name and matching social security number. Deep-Penetration was short on cash and figured selling some names and social security numbers to ID-ME would be a quick way to make some money without getting caught. She knew exactly where she could get at least 2,000 names and the matching social security numbers, and she was going to cash in. Think this is farfetched? Perhaps not as farfetched as it might seem!
I recently attended an AICPA Certified Information Technology Professional (CITP) networking event in Detroit. One of the topics was about whether the firewall that comes with your Internet router and/or computer is sufficient protection for an accounting firm.
This discussion made me think about the fact that many accountants may not understand this very important security prevention technique — what I like to equate to putting a dead bolt on the door. And they may not know if their firms are as prepared as the owners might assume. The scenario above identifies a lot of things that are wrong besides the firewall. However, these mistakes could very well be happening in a firm and no one knows it. With what seems like every vendor coming out with a firewall as part of their product offering, many people may think that they are over protected. Unfortunately, this idea lulls us into a false sense of security.
The Types of Firewalls
Good news! Firewalls only come in two basic designs: software-based and hardware-based.
While each has its strengths and weaknesses, some basic things are designed
into certain firewalls that make them more secure than others. We will talk
about that aspect shortly, but first let’s make sure we are on the same
page in terms of definitions.
A hardware-based firewall is a physical device that connects to your Internet router and sits between your local area network (the computers and servers that make up your technology environment) and the Internet. It allows traffic in and out between the local area network and the Internet based on the rules defined on the device. A hardware firewall generally stops traffic at the perimeter between the Internet and the internal network. It does not monitor the traffic on the internal network.
A software-based firewall is a firewall installed on a computer or server. It monitors the physical network connection of the computer as it connects to either the local area network or the Internet. It is also rules-based just like a hardware firewall. Generally, software-based firewalls are much more open because they have to communicate not only with the Internet but also with other computers in their networked environment.
![[Get Copyright Permissions]](http://license.icopyright.net/images/icopy-w.gif){kind=small}
Click here for copyright permissions!
Copyright 2008 Cygnus Business Media
