The following text is copyright 1999 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Portable firewall circumvention

by Scott Bradner

A few months ago I put a new 10 GB disk drive in my Macintosh 2400 laptop. That expanded the original capacity five fold to the point where I could carry the basic business data for much of Harvard wherever I went if I had a mind to do that and if the University was dumb enough to let me do it. Sounds unlikely, but all too many businesses let their traveling executives do things that are just about that dumb.

Businesses spend tens of thousands of dollars to install and operate firewalls to protect their corporate secrets from intruders from the big bad world of the Internet. But in doing so too many seem to think that installing the firewall somehow magically makes all security problems disappear. There are a number of reasons why that this borders on self delusion.

Every study that looks at who the perpetrators of effective, if that is a reasonable word to use, network-based intrusion shows the majority to be insiders or outsiders working with inside help. Since firewalls do not keep people already inside out they are of limited assistance in these cases. Installing firewalls also tends to make users and sometimes network managers complacent to the point where they forget the basics of good network security such as using good passwords or physical token-based authentication.

This does not mean that organizations should forego the use of firewalls but it does mean that they should not assume that firewalls are some sort of magic pill that cures stupidity.

Firewalls certainly do not cure the stupidity of corporate executives carrying piles of corporate and often private secrets in plaintext files on their laptops and palmtops. Lots of information tends to pile up on these machines. Copies of old email, spreadsheets of budgets, proposals for changing corporate direction or for new products, even auto-login scripts for dialing in when on the road. There might be more effective ways to find out what is going on in a corporation than to steal the CEO's laptop but it would take me a while to think of one.

There have been products around for a while to keep laptops from booting without entering a password, plugin card or serial port attachment but these can be circumvented by moving the disk drive to another computer. There is also software that lets the user encrypt files on the disk but the reliability of this depends on the reliability of the user taking the time and trouble to do the encryption every time and not writing the password on the laptop case. The only safe ways to carry corporate secrets on a laptop is to not do so or to encrypt the whole disk and there are products to do that. In the end it is cheaper to lose the data due to a forgotten password than reveal the secrets to the wrong person.

disclaimer: Harvard's business is not curing stupidity, it is nurturing intelligence but the above is my too full disk