Dude, maybe if we put bras on our heads and chant incoherently we can connect directly to the Internet...
Somebody just pushed my grumpy button! I'm all about making friends and influencing people, but the following article titled "You Wouldn't Actually Turn Off Your Firewall, Would You?" is simply a steaming heap of unqualified sensationalism, plain and simple.
It doesn't really deserve my attention but the FUD it attempts to promulgate is nothing short of Guinness material and I'm wound up because my second Jiu Jitsu class of the week isn't until tomorrow night and I've got a hankering for an arm-bar.
Larry Seltzer from eWeek decided to pen an opinion piece which attempts for no good reason to collapse two of my favorite topics into a single discussion: de-perimeterization (don't moan!) and virtualization.
What one really has to do directly with the other within the context of this discussion, I don't rightly understand, but it makes for good drama I suppose.
Larry starts off with a question we answered in this very blog (here, here, here and here) weeks ago:
Opinion: I'm unclear on what deperimeterization means. But if it means putting company systems directly on the Internet then it's a big mistake.
OK, that's a sort of a strange way to state an opinion and hinge an article, Larry. Why don't you go to the source provided by those who coined the term, here. Once you're done there, you can read the various clarifications and debates above.
But before we start, allow me to just point out that almost every single remote salesperson who has a laptop that sits in a Starbucks or stays in a hotel is often connected "...directly on the Internet." Oh, but wait, they're sitting behind some sort of NAT gateway broadband-connected super firewall, ya? Certainly the defenses at Joe's Java shack must be as stringent as a corporate firewall, right? <snore>
For weeks now I've been thinking on and off about "deperimeterization," a term that has been used in a variety of ways for years. Some analyst talk got it in the news recently.
So you've been thinking about this for weeks and don't mention if you've spoken to anyone from the Jericho Forum (it's quite obvious you haven't read their 10 commandments) or anyone mentioned in the article save for a couple of analysts who decided to use a buzzword to get some press? Slow newsday, huh?
At least the goal of deperimeterization is to enhance security. That I can respect. The abstract point seems to be to identify the resources worth protecting and to protect them. "Resources" is defined very, very broadly.
The overreacting approach to this goal is to say that the network firewall doesn't fit into it. Why not just put systems on the Internet directly and protect the resources on them that are worthy of protection with appropriate measures?
Certainly the network firewall fits into it. Stateful inspection firewalls are, for the most part today, nothing more than sieves that filter out the big chunks. They serve that purpose very nicely. They allow port 80 and port 443 traffic through unimpeded. Sweet. That's value.
Even the inventors of stateful inspection will tell you so (enter one Shlomo Kramer and Nir Zuk.) Most "firewalls" (in the purest definition) don't do much more than stateful ACL's do today and are supplemented with IDS's, IPS's, Web Application Firewalls, Proxies, URL Filters, Anti-Virus, Anti-Spam, Anti-Malware and DDoS controls for that very reason.
Yup, the firewall is just swell, Larry. Sigh.
I hope I'm not misreading the approach, but that's what I got out of our news article: "BP has taken some 18,000 of its 85,000 laptops off its LAN and allowed them to connect directly to the Internet, [Forrester Research analysts Robert Whiteley and Natalie Lambert] said." This is incredible, if true.
Not for nothing, but rather than depend on a "couple of analysts," did you think to contact someone from BP and ask them what they meant instead of speculating and deriding the effort before you condemned it? Obviously not:
What does it mean? Perhaps it just means that they can connect to the VPN through a regular ISP connection? That wouldn't be news. On the other hand, what else can it mean? Whitely and Lambert seem to view deperimeterization as a means to improve performance and lower cost. If you need to protect the data on a notebook computer they say you should do it with encryption and "data access controls." This is the philosophy in the 2001 article in which the term was coined.
Honestly, who in Sam's Hill cares what "Whitely and Lambert" seem to view deperimeterization as? They didn't coin the term, they butchered its true intent and you still don't apparently know how to answer your own question.
Further, you also reference a conceptual document floated back in 2001 ignoring the author's caution that "The actual concept behind the entire paper never really flew, but you may find that too thought provoking." Onward.
But of course you can't just put a system on Comcast and have it access corporate resources. VPNs aren't just about security, they connect a remote client into the corporate network. So unless everyone in the corporation has subnet mask of 0.0.0.0 there needs to be some network management going on.
Firstly, nobody said that network management should be avoided, where the heck did you get that!?
Secondly, if you don't have firewalls in the way, sure you can -- but that would be cheating the point of the debate. So we won't go there. Yet. OK, I lied, here we go.
Thirdly, if you look at what you will get with, say, Vista and Longhorn, that's exactly what you'll be able to do. You can simply connect to the Internet and using encryption and mutual authentication, gain access to internal corporate resources without the need for a VPN client at all. If you need a practical example, you can read about it here, where I saw it with my own eyes.
Or maybe I'm wrong. Maybe that's what they actually want to do. This certainly sounds like the idea behind the Jericho Forum, the minds behind deperimeterization. This New York Times blog echoes the thoughts.
Maybe...but we're just dreamers. I dare say, Larry, that Bill Cheswick has forgotten more about security than you and I know. It's obvious you've not read much about information assurance or information survivability but are instead content to myopically center on what "is" rather than that which "should be."
Not everyone has this cavalier attitude towards deperimeterization. This article from the British Computer Society seems a lot more conservative in approach. It refers to protecting resources "as if [they were] directly exposed to the Internet." It speaks of using "network segmentation, strict access controls, secure protocols and systems, authentication and encryption at multiple levels."
Cavalier!? What's so cavalier about suggesting that systems ought to be stand-alone defensible in a hostile environment as much as they are behind one of those big, bad $50,000 firewalls!? I bet you money I can put a hardened host on the Internet today without a network firewall in front of it and it will be just as resistant to attack.
But here's the rub, nobody said that to get from point A to point B one would not pragmatically apply host-based hardening and layered security such as (wait for it) a host-based firewall or HIPS? Gasp!
What's the difference between filtering TCP handshakes or blocking based on the 4/5 tupule at a network level versus doing it at the host when you're only interested in scaling to performance and commensurately secured levels of a single host? Except for tens of thousands of dollars. How about Nada? (That's Spanish for "Damn this discussion is boring...")
And whilst my point above is in response to your assertions regarding "clients," the same can be said for "servers." If I use encryption and mutual authentication, short of DoS/DDoS, what's the difference?
That sounds like a shift in emphasis, moving resources more towards internal protection, but not ditching the perimeter. I might have some gripes with this—it sounds like the Full Employment Act for Security Consultants, for example—but it sounds plausible as a useful strategy.
I can't see how you'd possibly have anything bad to say about this approach especially when you consider that the folks that make up the Jericho Forum are CISO's of major corporations, not scrappy consultants looking for freelance pen-testing.
When considering the protection of specific resources, Whitely and Lambert go beyond encryption and data access controls. They talk extensively about "virtualization" as a security mechanism. But their use of the term virtualization sounds like they're really just talking about terminal access. Clearly they're just abusing a hot buzzword. It's true that virtualization can be involved in such setups, but it's hardly necessary for it and arguably adds little value. I wrote a book on Windows Terminal Server back in 2000 and dumb Windows clients with no local state were perfectly possible back then.
So take a crappy point and dip it in chocolate, eh? Now you're again tainting the vision of de-perimeterization and convoluting it with the continued ramblings of a "couple of analysts." Nice.
Whitely and Lambert also talk in this context about how updating in a virtualized environment can be done "natively" and is therefore better. But they must really mean "locally," and this too adds no value, since a non-virtualized Terminal Server has the same advantage.
What is the security value in this? I'm not completely clear on it, since you're only really protecting the terminal, which is a low-cost item. The user still has a profile with settings and data. You could use virtual machines to prevent the user from making permanent changes to their profile, but Windows provides for mandatory (static, unchangeable) profiles already, and has for ages. Someone explain the value of this to me, because I don't get it.
Well, that makes two of us..
And besides, what's it got to do with deperimeterization? The answer is that it's a smokescreen to cover the fact that there are no real answers for protecting corporate resources on a client system exposed directly to the Internet.
Well, I'm glad we cleared that up. Absolutely nothing. As to the smokescreen comment, see above. I triple-dog-dare you. My Linux workstation and Mac are sitting on "the Internet" right now. Since I've accomplished the impossible, perhaps I can bend light for you next?
The reasonable approach is to treat local and perimeter security as a "belt and suspenders" sort of thing, not a zero sum game. Those who tell you that perimeter protections are a failure because there have been breaches are probably just trying to sell you protection at some other layer.
...or they are pointing out to you that you're treating the symptom and not the problem. Again, the Jericho Forum is made up of CISO's of major multinational corporations, not VP's of Marketing from security vendors or analyst firms looking to manufacture soundbites.
Now I have to set a reminder for myself in Outlook for about two years from now to write a column on the emerging trend towards "reperimeterization."
Actually, Larry, set that appointment back a couple of months...it's already been said. De-perimeterization has been called many things already, such as re-perimeterization or radical externalization.
I don't really give much merit to what you choose to call it, but I call it a good idea that should be discussed further and driven forward in consensus such that it can be used as leverage against the software and OS vendors to design and build more secure systems that don't rely on band-aids.
...but hey, I'm just a dreamer.
/Hoff
Recent Comments