More than one way to trap a hacker
- 14 May, 1998 13:52
Lead a hacker into a maze of mirrors then slam the door on him. That's the latest tactic in the ongoing war against electronic intruders waged by bleeding-edge practitioners such as Sun Microsystems.
The man in charge of Sun's corporate defences, Terry Keeley, believes "you need a minimum of three layers of security and preferably five to stop a determined hacker".
The architect of Sun's intranet, Internet and extranet infrastructure, Keeley let slip some of Sun's secrets on a recent trip to Australia. He rates the IP filtering and screening software supplied by router vendors as "a good first step but it is never enough by itself".
More sophisticated IP filtering is needed to beef up the router's relatively coarse feature set. Sun uses its own Firewall-1 product but many shops that write their own filter and screening code often end up with conflicting rules that create openings for hackers, Keeley warned.
Sun tosses a third layer at hackers in the form of yet another type of IP filter and screen system; its Sunscreen Secure Packet Filter which comes with embedded encryption.
"SPF is like an air gap or roach motel -- you can go through it one way but you can't come back," Keeley said. "Basically that makes your system spoof proof by trapping hackers who come into your system riding on somebody else's IP connection pretending to be them."
While Sun believes "strongly" in the basic Internet security technology SSL, "SSL should never be used between a client device and an application server", Keeley cautioned.
"The moment you do that, you create the superhighway tunnel for someone to go inside and wreak damage.
"SSL should be used as a secure method of communications between the client and the firewall complex. In terms of messaging, everything beyond the firewall should be handled using other techniques."