Sunday, April 6, 2008

Firewall (2006)

This film garnered a significant amount of criticism in the computer community for its presumed technical inaccuracies, most notably for how Harrison Ford's character used his daughters iPod to store bank account numbers. However, as Roger Ebert correctly pointed out in his review of the film, "...an iPod can do that -- act as a backup hard drive...."

With a few Google queries, its easy to figure out that you can connect digital cameras to iPods and use them to store images, so, its not that far of a stretch to assume that the scanner acted in the same way. Come on people, get a grip.

To that point, I have been finding that critics, like screen writers, have gotten into a bad habit of assuming that the general public's lack of knowledge somehow negates their responsibly to know how a technology works before they write about. This was painfully obvious in the criticism of Untraceable, and just as evident in the focus of the criticism of this movie. I'm not saying that this movie isn't flawed, just that the true flaws were overlooked.

The most obvious flaw, from my perspective, shows up about 7 minutes into the film. While too short to be called a technical monologue, the following lines start things off:

"Let's try a rule change on him and see what he does. I'll put in an IPS signature that black holes the pattern...see if that slows him down."

Possibly afraid that Harrison Ford's delivery of the line would not play on its own, the film makers quickly cut to a shot of him typing commands into a computer:

For those of you who don't immediately see the problem, I may need to explain what IPS is.

Intrusion prevention systems, or IPS, are inline intrusion detection systems that monitor traffic looking for specific signatures, or patterns, in network packets and attempt to block attacks. Traditional IDS simply send alerts when they detect patterns, but do not attempt to stop the attack.

The following is an example of an intrusion detection signature, or rule, that would detects brute force logins to a Web application, which is similar to what is describe in the dialog:

alert tcp $WEB_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)

The first thing that you will notice is that the IDS rule looks nothing like what is being typed into the administrative console. What they shown in the film is actually a Cisco ACL (Access Control List) that blocks all traffic from the 172.16.2.0 subnet, not an IPS signature. This would be resilient to false positives, but wouldn't stop an attacker coming from Hong Kong, Korea, and Malaysia.

The other problem, which is not as obvious, is that the traffic that they are showing is unencrypted HTTP. Needless to say, this is not something you want to do when you are running a banking Web site.

An interesting thing about that, however, is that intrusion detection systems are not very effective with encrypted traffic. There are things you can do to make it work, but in real life, brute force login attempts would most likely be tracked and blocked by the Web application, not something that monitors the network.