Is the firewall obsolete? Probably not, but current implementations were never designed to cope with the threats posed by Webmail, various social networking tools, and even popular corporate collaboration applications like SharePoint and WebEx.
"If all we had to do was block the application, this would be easy. But in many cases, business needs them," says Nir Zuk, CTO of Palo Alto Networks, a network security firm and firewall provider. WebEx, for example, is a great way of leaking data, he says, because it allows presentations along with file and desktop sharing. When files are shared they are not scanned for viruses or leakage.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
Even more difficult is the challenge posed by the use of Webmail and social networking tools at work. It's not clear how widely tools like Twitter and Facebook are used in business, but there is a measure of how much traffic on corporate networks is generated by Webmail. And it's more than you think.
Palo Alto Networks monitors traffic on the networks of more than 700 corporate customers, with an aggregate user base of between 1 and 2 million.
In the first six months of this year, Hotmail was used by employees at 90% of the security firm's customers, Yahoo Mail by 88%, and Facebook mail (messaging, actually) by 79%. Facebook's usage per user is less than that of its two rivals, but that's changing: Facebook usage as measured by bandwidth consumption has increased by roughly 15 times since the spring of 2009, according to the survey.
Why is that a problem? "Organizations have built a Maginot Line on port 25 with defenses against malware, spam, and phishing," Zuk says, but none of that affects Webmail.
That's because corporate mail, such as Microsoft Exchange, is routed through the heavily defended port 25, whereas Webmail goes in and out via lightly defended ports 80 or 443, says King. WebEx also uses those ports, as does SharePoint.
While it's true that Webmail providers screen for threats, it's not at all clear how effective that screening actually is. When the volume of Facebook mail spikes, as it surely will, the number of threats hitting those lightly defended ports will soar. Given Facebook's terrible record of data leaks, it's hard to be confident that the company will do a better job of keeping out malware.
There's another business issue as well. Electronic communications of some employees in financial services and medical-related businesses are required by law to be archived for years, and data handled by those users must be secured. As Facebook usage increases at work, IT will have the additional burden of being sure that employees in regulated positions segregate business and personal communications.
That's why network security providers are developing so-called next-generation firewalls designed to do a better job of monitoring traffic. Broadly speaking, a typical firewall sees apps as either something used by the business or a threat. But social networking apps don't fit neatly into either category, which means firewalls need to be much more intelligent to screen for threats while still allowing useful, albeit non-standard, applications to run on the network.
The top underreported tech stories of 2010:
This article, "What you missed: Social media messaging is getting around traditional firewalls," was originally published at InfoWorld.com. Get the latest insights in network security issues and trends at InfoWorld.com.
This story, "What you missed: Social media messaging is getting around traditional firewalls" was originally published by InfoWorld.