Welcome to Volume 4, Issue 7 of The Internet Security Conference newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me. If you like the issue, let us know!
Enjoy, and be safe,
Dave
Today's Column... is a bit of a rant. I am sooo tired of the borderline yellow journalism associated with security. Everything incident is overblown, and rarely are the facts relating to incidents adequately reported.
David Piscitello, Core Competenc
Server-based virus scanning has recently come under attack. Virus writers have succeeded in slipping malicious code (Oh, no! ěhidden virusesî) through anti-virus gateways operated by Internet Service Providers and large organizations. One beat writer quotes a reliable source as saying ěUsers relying on server-based protection... are at riskî. The media have previously made a huge fuss over ědiscoveriesî that attackers can evade or bypass. Discoveries that attackers can overwhelm certain (DOS) network-based intrusion detection systems (NIDSs) and scanners generated comparable Chicken Little responses (yes, Virginia, you can find everything on the Web...)
What are the big deals here? Attackers have been probing networks and firewalking for as long as folks have used firewalls. Can it be that someone really believes that server-based protection is a blanket substitution for client-based A/V? Can it also be that NIDSs are generally understood to be bulletproof security technology, impervious to attacks themselves?
The ěbig dealsî are that, while more people claim to appreciate the importance of security (media included), far too many people have an overly simplistic understanding of what security technologies can and cannot do. Hopelessly afflicted by a ědrag and dropî mentality, the popular notion of security is reduced to this: Network Intrusion Detection Systems stop hackers, anti-virus scanners stop viruses, and firewalls block unauthorized traffic. Drag security technology out of the box, drop it in your network, and your worries are over? A severed Ethernet cable and a T1 access circuit victimized by a backhoe accomplish all this and more: are these security technologies?
Certainly not, but these help illustrate a fundamental point. Interrupting service is a form of denial of service that can be mitigated through redundancy and diversity. In simple terms, if you apply what Dr. Bill Hancock calls The Noah Principle (two of everything) to eliminate single points of attack and failure, your network is more resilient to failure.
One of the cold, hard lessons of security is that no single security technology is a silver bullet against attacks. One of many corollaries to this particular lesson is this: when you deploy security technology, attackers will try to learn what it is and does, and will look for a way to circumvent or neutralize it. These are part of the bases for two important principles of layered security: (1) create multiple layers of defense around assets, and (2) employ multiple security technologies to protect against the same threats.
The concept of layered security is about as old as network security itself, and it is commonly described in medieval (feudal) nomenclature.Ý In fact, the evolution of secure network perimeters does seem to track the castle evolution, from the timber and earthworks of the Norman motte and bailey to the stone, crenellated and battlemented walls and moats protecting the keep or donjon during and following the reign of Edward I. We attempt to maintain a secure perimeter, a continuous fortification or enciente continue surrounding our trusted networks. A popular configuration for perimeter security in the early days of custom firewalls was the choke router and bastion host. Clearly, the Normans didnít use packet-filtering routers, but castles were designed with choke points. Access controls configured at the choke router blocked unauthorized inbound traffic from the Internet. The choke allowed traffic to hardened, public servers in a demilitarized zone (DMZ), and forwarded traffic to the bastion host, the grand daddy of todayís firewall appliance, which protected the trusted (internal) network
Server-based protection is an application of the choke. Malware scanners can be employed to process mail and web content for an entire organization, or in the case of a service provider, its entire subscriber base. But no organization should rely exclusively on this single defense. Castle walls evolved from a single fortification to concentric designs. Protection from malicious code can be applied in the same fashion. Servers should run antivirus software. Every enterprise client, including all laptops and any PC a teleworker might use to access trusted servers via a VPN from a home office, should run AV software. Itís not a question of server-based versus client-based anti-virus protection, but how best to complement one with the other.
Concentric design shouldnít be limited to anti-virus protection. Network intrusion detection can be run at many strategic locations within an organization to provide complementary services. One of several emerging in-line NIDS sensors placed outside an organizationís Internet firewall can be used to block attacks, especially distributed denials of service. NIDS sensors ń monitoring or in-line, tuned to detect anomalous behavior and inspect application streams ń can protect storage networks and server farms. Host intrusion detection on servers and clients alike complement NIDS. Interestingly enough, in their glory days, Edwardian castles had three concentric rings of walls and towers.
This security design can be applied again and again. Use server and personal firewalls to complement internet and interdepartmental firewalls. Resist the convenience single sign-on offers: apply stronger authentication, use multiple authentication methods, and individualize authorization. Is there really a valid security reason why an authenticated individual should have free reign across every server in an organization?
Personal firewalls may have their detractors, but as teleworking, remote access VPN, and wireless LANs become the norm, they are no longer a luxury or option. In time of Edward I, an armed entourage protected human assets (lords and ladies). Host anti-virus, VPN adapter, personal firewall, host IDS, and system level login comprise the entourage for road warriors.
Admittedly, there is an intricate interplay between the adoption and enforcement of more elaborate security designs. Security canít be voluntary and ad hoc; however, centralized policy administration systems that deny remote user access to an organizationís servers unless a checklist of approved security software can provide enforcement, and several are under development and in trial.
The value proposition of complementary and concentric defenses should be evident. Server-based protection shouldnít be lightly dismissed each time a vulnerability or weakness in such security technology is identified. In fact, our reaction should be quite the contrary: each time a weakness in a security measure is identified, we should take the opportunity to see if complementing defenses and countermeasures exist to protect our assets. Iím not advocating impulsive adoption of redundant security measures without a game plan, but a careful consideration of risk and means of resolution that results in coordinated layers of defense.Ý Perform a risk assessment and adopt defenses and countermeasures to mitigate or reduce risks: for each risk, determine if you need primary, secondary, and even tertiary defenses.Ý From this assessment, you can create a framework against which new security measures can be evaluated for need and effectiveness.
© 2002 - 2006 Core Competence & Mactivity, Inc.