A preoccupation with firewalls for information security is dangerous because it can divert attention and resources away from locking systems down, according to a U.S.-based security researcher.

Computer security researcher at the San Diego Supercomputing Center (SDSC), Abe Singer said companies can spend 90 percent of their security efforts on firewalls and not much of anything else.

"I"m not saying firewalls are completely irrelevant, but how much effort do you spend on security?" Singer asked. "Do security at the host, not just the perimeter. You should be worried about what users are doing, because if an attacker is going through the perimeter [without secure hosts] then it"s game over."

In Australia to speak at the Australian Unix and open systems user group (AUUG) security seminars this month, Singer prides himself on the claim that the SDSC has gone four years without a root-level intrusion to its systems - without using a firewall. He believes this is as good as an organization relying on a firewall.

"At the SDSC we don"t use a firewall, it"s not feasible," he said. "Since we have to secure hosts individually if we had a firewall it would be so open it would be useless."

Singer said there is a perception that a firewall is a must-have. He cited Visa"s server requirements for online merchants which stated they must have a firewall, but did not specify any configuration details.

"Too much of the security budget is being spent on firewalls which also get too much attention [and] it"s also "cool" to have a new firewall to play with," he said, adding that other appliances like intrusion detection and prevention systems are an extension of the same idea.

"People are attracted to the idea that security can be bought [and] it"s hard to differentiate between marketing hype and reality," he said. "We have a known "good" config and when we find something is bad it"s consistently fixed."

Singer is adamant that intrusion will not be stopped by a firewall and attackers have used Trojan SSH (secure shell) clients to steal user names and passwords.

Other practices Singer recommends include not running services you don"t need, for example, services that are only required internally don"t need to be external.

"You really need to think through your processes [and] relying on a firewall means you"re probably doing security wrong," he said. "Surveys have shown that 60 percent of security breaches are internal but 70 percent of people are worried about hackers on the outside. Internal breaches are worse, because someone has a level of access and knows where the assets are. If an attacker was really looking at compromising a company"s assets he or she would get a job in the mail room."