Rational Survivability

So Rich and Rich, the ex-analytic Dynamic Duo, mount poor (ha!) arguments against my posts on the the Jericho Forum.

To quickly recap, it seems that they’re ruffled at Jericho’s suggestion that the way in which we’ve approached securing our assets isn’t working and that instead of focusing on the symptoms by continuing to deploy boxes that don’t ultimately put us in the win column, we should solve the problem instead.

I know, it’s shocking to suggest that we should choose to zig instead of zag.  It should make you uncomfortable.

I’ve picked on Mogull enough today and despite the fact that he’s still stuck on the message marketing instead of the content (despite claiming otherwise,) let’s take a peek at Captain Obvious’ illucidating commentary on the matter:

Let me go on record now. The perimeter is alive and well. It has to
be. It will always be. Not only is the idea that the perimeter is going
away wrong it is not even a desirable direction. The thesis is not even
Utopian, it is dystopian. The Jericho Forum
has attempted to formalize the arguments for de-perimeterization. It is
strange to see a group formed to promulgate a theory. Not a standard,
not a political action campaign, but a theory. Reminds me of the Flat Earth Society.

I’m glad to see that while IDS is dead, that the perimeter is alive and well.  It’s your definition that blows as well as your focus.  As you recall, what I actually said was that the perimeter isn’t going away, it’s multiplying, but the diameter is collapsing.  Now we have hundreds if not thousands of perimeters as we collapse defenses down to the hosts themselves — and with virtualization, down to the VM and beyond.

Threats abound. End points are attacked. Protecting assets is more
and more complicated and more and more expensive. Network security is
hard for the typical end user to understand: all those packets, and
routes, and NAT, and PAT. Much simpler, say the
de-perimeterizationists, to leave the network wide open and protect the
end points, applications, data and users.

It’s an ironic use of the word "open."  Yes, the network should be "open" to allow for the most highest performing, stable, resilient, and reliable plumbing available.  Network intelligence should be provided by service layers and our focus should be on secure operating systems, applications and readily defensible data stores.  You’re damned right we should protect the end points, applications, data and users — that’s the mission of information assurance!

This is what happens when you fling around terms like "risk management" when what you really mean is "mitigating threats and vulnerabilities."  They are NOT the same thing.  Information survivability and assurance are what you mean to say, but what comes our is "buy more kit."

Yeah, well, the reality is that the perimeter is being reinforced
constantly. Dropping those defenses would be like removing the dikes
around Holland. The perimeter is becoming more diverse, yes. When you
start to visualize the perimeter, which must encompass all of an
organization’s assets,one is reminded of the coast of England metaphor.
In taking the measure of that perimeter the length is dependant on the
scale. A view from space predicts a different measurement than a view
from 100 meters or even 1 meter. Coast lines are fractal. So are network perimeters.

"THE perimeter" is not being reinforced, it’s being consolidated as it comes out of firewall refresh cycles, there’s a difference.  You accurately suggest that this is occurring constantly.  The reason for that is because the stuff we have just simply cannot defend our assets appropriately.

Folks like Microsoft understand this — look at Vista and Longhorn.  We’re getting closer to more secure operating systems.

Virtualization is driving the next great equalizer in the security industry and "network security" will become even more irrelevant.

Why don’t the two Richies and the faithful toy-happy squadrons of security lemmings get it instead of desperately struggling to tighten their grasp on the outdated notion of their glorious definition of "THE perimeter."  That was a rhetorical question, by the way.

De-perimeterization (or re-perimeterization) garners panic in those whose gumboots have become mired in the murky swamps of the way things were; they can’t go forward and they can’t go back.  Better to sink in one’s socks than get your feet dirty in the mud by stepping out of your captive clogs, eh?

The threats aren’t the same.  The attackers aren’t the same.  Networks aren’t the same.  The tools, philosophy and techniques we use to secure them can’t afford to be, either.

Finally:

Disclaimer:  I work for a vendor of network perimeter security appliances.
But, keep in mind, I would not be working for a perimeter defense
company if I did not truly believe that the answer lies in protecting
our networks. If I believed otherwise I would work for a
de-perimeterization vendor, if I could find one. 🙂

I can’t even bring myself to address this point.  I’ll let  Dan Weber do it instead.

/Hoff