The most common undetected ways of moving data to and from networks is through instant messaging software and portable USB drives, says Microsoft's Steve Riley.
IM traffic can be monitored by the firewall, and system administrators can create a group policy denying access to the appropriate DLL to prevent the use of USB storage devices.
IT managers should realise that people use these methods because they are handy and simple, and controlling them won't be popular.
"You're going to have a lot of pissed-off users when you do this," Riley says.
Riley, a product manager in Microsoft's security business unit, last week presented a session on network security to audiences in New Zealand. In Auckland he told the audience that future Windows systems will stress security on individual machines and not rely on the security of the local network.
"There are as many ways in and out of your network as there are connected devices," Riley told an Auckland audience last week. "I believe that this notion of a network perimeter has ceased to exist."
Administrators need to practice "defence in depth", Riley says. Firewalls alone aren't enough to protect a network; instead, he suggests layers of protection, including encrypting traffic on the internal network. Rather than relying on a network perimeter, each machine should have its own perimeter, he says.
Riley lists six steps to securing the local environment: establishing mutual authentication, segmenting the network, encrypting network communications, blocking communication ports by default, controlling access to network devices and signing network packets.
Firewalls are often configured to allow all outbound communications, but Riley says that's too liberal. Once attackers have control of a machine, they will typically download more attack tools using a protocol such as trivial ftp (tftp) which is less likely to be noticed by an administrator, he says.
"Attackers need to only find one place to attack. As defenders, you need to protect them all. Who has the harder job?" he asks.
"You need to allow an outbound default deny, and then you allow only [outgoing traffic] your business needs."
Closing off outbound connections has the useful side-effect of discovering just how the network is being used, he says. "When you do that you will get some interesting phone calls."
Although firewalls do provide a level of protection, they can't protect against all attacks, Riley says. Software can use common network ports such as port 80 - which is intended for web traffic but can be described, Riley says, as the "Universal Firewall Bypass Port" - and firewalls can be misconfigured or defeated by a disgruntled user or an attacker exploiting a weak password, for example. "Firewalls will not protect against the stupid," Riley says.
Rather than just allowing traffic on certain ports, modern firewalls will examine the traffic before allowing it to access the internal network. Riley warns against allowing encrypted traffic to pass through the firewall without examination. A web proxy on the firewall should examine sure HTTP requests, for example, and then make its own secure connection to the web server. Similarly, VPN connections should be made to the firewall, rather than tunnelled to a VPN server in the local network.
Security-related changes in service pack 2 for Windows XP, which is expected later this year, will help administrators secure communications in local networks, Riley says. The internet connection firewall (ICF) which is built in to XP will now be enabled by default and will require administrators to specifically allow unusual traffic.
"ICF is a valuable and critical component of any security you might run," Riley says. "The problem with ICF is that it wasn't turned on and it was hard to find."