In-Depth

Beyond the Firewall

Network security is more important than ever. But network protection must move beyond the firewall. What new tools are on the horizon to help you with your combat strategy?

• By Danielle Ruest and Nelson Ruest
• 05/25/2004

Security. These days, it's the number one subject on everyone's mind. Too often people think they're protected just because they've put in a firewall. But we're learning that firewalls alone are woefully inadequate today. Words like Code Red, Nimda, Slammer, and Netsky have all become part of our common vocabulary. "This tells us that the network can no longer be our sole means of protection," says Steve Riley, product manager with the Microsoft Security Business Unit.

He's right. A year ago, most of us updated virus definition files on a monthly basis, but now we do it on a daily basis. Some thoughtful administrators are also looking to beta definitions for protection because they know that if they don't use them, they'll suffer from an attack. "Today, attacks are aimed at computers and applications," says Riley. "That's why we have to revamp the protection strategies we put in place. Attackers are getting cleverer, and their attacks are becoming more sophisticated. It's time we thought of new ways to defend both systems and information."

Four-Layer Framework
To prove his point, Riley, in today's Tech•Ed session "The Death of the DMZ [demilitarized zone]," takes a step back and draws out the history of network protection strategies to show how we've become so focused on the firewall. He moves on to expound what he calls his four-layer framework for system protection:

• Authenticate everyone.
• Validate always.
• Audit everything.
• Encrypt when needed.

According to Riley, there's no better place to make a security decision than at the resource itself, where the information exists to make that decision. This is the core concept of Microsoft's in-depth defense strategy—a layered defense approach that focuses on hardening each aspect of a network and the systems and applications it contains. But for Riley, we must go even further: "Every computer system in your network should be secured," he says. Microsoft is focusing on this exact strategy in upcoming security releases for Windows Server 2003 and Windows XP.

Security Service Packs
Service Pack 1 for Windows Server 2003 will include a new tool, the Security Configuration Wizard (SCW). SCW is aimed at helping administrators reduce the attack surface of the server operating system and the applications it contains. That's because SCW will let you examine your server configuration and the server roles it contains to suggest ways you can further secure the platform. This is not new. Windows systems since Windows 2000 have included the Security Configuration and Analysis tool to let you do virtually the same thing. What is new is that for the first time, Microsoft is providing a tool that tells you why you should turn off a feature and how to do it.

The same goes for Service Pack 2 for Windows XP. This service pack will include a new Security Center, which combined with a completely revamped Windows Firewall, will help protect every PC running this operating system, even—and especially—home PCs. The firewall client will include a "panic mode" that will automatically lock out any inbound connection when it senses untoward behavior on the network—behavior that could be caused by either a virus or a worm. To unlock the systems, users must configure the client explicitly.

This is not the Security Center's only function. It will also help users ensure their virus signatures are up to date and in sync with critical security updates from the Windows Update Web site. PCs either running the XP Home edition or running in a workgroup will not be able to turn off the Security Center. PCs in a domain will be subject to Group Policy control of both the Windows Firewall and Security Center.

Both service packs, due out at the end of June, will go a long way toward securing Windows systems. There's no doubt that when dealing with security, you have to think outside the box.