Gavin Clabaugh, Charles Stewart Mott Foundation

In 480 B.C. some 300 Spartans, led by King Leonidas, managed to delay a hostile force numbered in the tens of thousands, some even say hundreds of thousands. They did this by blocking the pass at Thermopylae - the only road available to Xerxes the Great and his invading Persian forces. The Spartans were eventually defeated, but not before they secured the retreat of the other Greek forces and, thus, laid the foundation for Xerxes' defeat the following year at the Battle of Plataea.

To be honest, there are days when I feel just a little of what Leonidas must have felt - him and the 300 - facing overwhelming odds with only sword and shield. In my case, of course, the weapons are mouse and firewall. For me it's not thousands of Persians. Rather it's a never-ending onslaught of Trojans...and worms, and spyware, and spam - malware of all variety. The price of defeat, while not as deadly, is still dire.

The stand of the 300 is often cited as an example of what can be done with the right equipment, the right training, the right terrain, and most importantly, teamwork. Strange as it may sound, these are things I try to keep in mind when I think about computer and network security. I try to think like Leonidas. I also try to avoid his one, deadly mistake.

Details of the Spartan tactics are somewhat scant, but historians agree that they probably deployed in a formation known as phalanx, a wall of overlapping shields. The Spartans would line up in rows, shoulder to shoulder, creating a layered defense of shields and prickly spears.

The phalanx design — layered rows of soldiers and shields — provided protection such that if one Spartan fell, another would step in from the row behind to take his place. At Thermopylae, despite the odds, the invaders were no match for the superior armor, weaponry, tactics, training, and discipline of the Greeks.

The lessons — and tactics — of Thermopylae are handy metaphors to keep in mind when designing effective and resilient security. The odds are about the same, too. [You might ask why there were only 300. Apparently, it was a holiday. Everybody else was otherwise occupied, celebrating and such.]

As with the Spartans, it’s a not just about having the right equipment, it’s also about how you deploy that equipment and, more importantly, how you educate and train users. If you don’t spend time and thought on all three, you’re sunk. In fact, the first two – equipment and deployment — are pretty simple; but it’s the user training that makes all the difference.

First off, the equipment part is easy: get a firewall. If you don’t have one, you’re a fool. Stop reading and go buy one. Now. When I say firewall, I mean a real firewall too, not just a NAT router. There are hundreds of choices – open source and commercial.

For small and medium sized organizations, I personally like Astaro and Sonicwall. For the SOHO-sized entity, I like Linksys – you get the benefits of their parent company (Cisco) without the pricing. I actually have two at home (as you will see, I like layers). Get one that is smart enough to hide itself. It’s called stealth mode or some such.

Secondly, think phalanx, think layers of protections. A firewall is not enough. Design your phalanx so that if one measure fails, another is there to take its place. I recommend several layers of virtual Spartans, standing shoulder to
shoulder:

• Perimeter: This includes the firewall as well anti-spam and anti-virus systems for inbound email. I recommend a strict policy of absolutely no executable file attachments, period. Every message should be scanned before it even hits your email system.

• Network: Anticipate problems and balkanize your network and your file storage systems. That way if you do have a security breach of some sort, it can only go so far. Isolate files, users, and applications by function. Protect your own network from possible infectious vectors by blocking LAN to WAN traffic for unneeded protocols, including SMTP and POP3 if you don’t need them.

• Wireless: Secure your wireless network. If you’re still running WEP encryption, buy a new WAP. Better yet, if you have guest users, buy two and set up a private, isolated wireless guest network. With some creative network design and a couple of routers, it’s easy enough to set up two private IP networks running off one connection to the Internet. Be safe and accommodating at the same time!

• Email: If you’re running an internal email system like Notes, GroupWise, Exchange, or even POP3, have active anti-virus email filtering, outbreak monitoring, and control systems.

• Servers: Servers should have active anti-virus systems scanning all file activity. I recommend centrally managed systems so that you’re not made totally insane trying to keep things up to date.

• Desktops: All desktops should have active anti-virus and anti-spam systems. If you use Internet Explorer, upgrade to IE7 and lock it down tight. Better yet, use Firefox. With Windows, use Defender (it’s free).

• Laptops: Beware of the innocent laptop. This is by far the most dangerous device on your network. As a vector for infection, it’s worse than a ten-year-old. Laptops should not only have anti-virus and anti-spam, but also their own personal firewalls. All wireless traffic should be via VPN connections – especially from hotels and public hotspots. Wash your hands often.

Everything above is all for naught without user education. Here’s the true secret of the Spartans: without teamwork they would have failed instantly.

In the end the stand of the 300 came a cropper because they were betrayed. A local resident named Ephialtes revealed a secret mountain path to the Persians that led behind the Greek lines. The weakness of the phalanx is that it can be easily flanked. So too, network security can be flanked by someone - innocently or not - going around all your best laid plans. Without partnership and without education, everyone is a potential Ephialtes.

Ironically as the Internet gets more and more dangerous, that partnership is getting easier. With the proliferation of home broadband, describing an infected PC is no longer quite the intellectual exercise it used to be. Disgruntled victims of, for example “Cool Web Search”, are probably eager students, if only for personal reasons. Since the odds have it that at least half of your users’ home PCs are suffering some sort of malware infection, the recruits may be more willing than you think. Your job is to win them over to your side, to explain the reasons and the risks, to recruit them into the phalanx.

Unlike the Spartans your risks are more likely innocent ignorance than deliberate betrayal. The vectors are many and include anyone from those handicapped by executive status who don’t understand the technology to the well-meaning visitor with an infected laptop, as well as useful yet potentially dangerous software programs that provide paths around the firewalls (like IM and Skype).Nevertheless, in the end there is no defense except teamwork. And teamwork demands partnership and education. Your job is to build those partnerships, to structure a defense that places a high priority on education and understanding. The last thing you want to hear is, “It’s all Greek to me.”