Rational Survivability

I was reading Joseph Tardo’s (Nevis Networks) new Illuminations blog and found the topic of his latest post ""Built-in, Overlay or Something More Radical?" regarding the possible future of network security quite interesting.

Joseph (may I call you Joseph?) recaps the topic of a research draft from Stanford funded by the "Stanford Clean Slate Design for the Internet" project that discusses an approach to network security called SANE.   The notion of SANE (AKA Ethane) is a policy-driven security services layer that utilizes intelligent centrally-located services to replace many of the underlying functions provided by routers, switches and security products today:

Ethane is a new architecture for enterprise networks which provides a powerful yet simple management model and strong security guarantees.  Ethane allows network managers to define a single, network-wide, fine-grain policy, and then enforces it at every switch.  Ethane policy is defined over human-friendly names (such as "bob, "payroll-server", or "http-proxy) and  dictates who can talk to who and in which manner.  For example, a policy rule may specify that all guest users who have not authenticated can only use HTTP and that all of their traffic must traverse a local web proxy.

Ethane has a number of salient properties difficult to achieve
with network technologies today.  First, the global security policy is enforced at each switch in a manner that is resistant to poofing.  Second, all packets on an Ethane network can be
attributed back to the sending host and the physical location in
which the packet entered the network.  In fact, packets collected
in the past can also be attributed to the sending host at the time the packets were sent — a feature that can be used to aid in
auditing and forensics.  Finally, all the functionality within
Ethane is provided by very simple hardware switches.
      

The trick behind the Ethane design is that all complex
functionality, including routing, naming, policy declaration and
security checks are performed by a central controller (rather than
in the switches as is done today).  Each flow on the network must
first get permission from the controller which verifies that the
communicate is permissible by the network policy.  If the controller allows a flow, it computes a route for the flow to
take, and adds an entry for that flow in each of the switches
along the path.
      

With all complex function subsumed by the controller, switches in
Ethane are reduced to managed flow tables whose entries can only be populated by the controller (which it does after each succesful permission check).  This allows a very simple design for Ethane
      switches using only SRAM (no power-hungry TCAMS) and a little bit
of logic.
   

I like many of the concepts here, but I’m really wrestling with the scaling concerns that arise when I forecast the literal bottlenecking of admission/access control proposed therein.

Furthermore, and more importantly, while SANE speaks to being able to define who "Bob"  is and what infrastructure makes up the "payroll server,"  this solution seems to provide no way of enforcing policy based on content in context of the data flowing across it.  Integrating access control with the pseudonymity offered by integrating identity management into policy enforcement is only half the battle.

The security solutions of the future must evolve to divine and control not only vectors of transport but also the content and relative access that the content itself defines dynamically.

I’m going to suggest that by bastardizing one of the Jericho Forum’s commandments for my own selfish use, the network/security layer of the future must ultimately respect and effect disposition of content based upon the following rule (independent of the network/host):

Access to data should be controlled by security attributes of the data itself.

• Attributes can be held within the data (DRM/Metadata) or could be a separate system.
• Access / security could be implemented by encryption.
• Some data may have “public, non-confidential” attributes.
• Access and access rights have a temporal component. 

 

Deviating somewhat from Jericho’s actual meaning, I am intimating that somehow, somewhere, data must be classified and self-describe the policies that govern how it is published and consumed and ultimately this security metadata can then be used by the central policy enforcement mechanisms to describe who is allowed to access the data, from where, and where it is allowed to go.

…Back to he topic at hand, SANE:

As Joseph alluded, SANE would require replacing (or not using much of the functionality of) currently-deployed routers, switches and security kit.  I’ll let your imagination address the obvious challenges with this design.

Without delving deeply, I’ll use Joseph’s categorization of “interesting-but-impractical”

/Hoff

All this bruhaha over Schneier’s commentary in Wired regarding the existence of and need for IT Security is addressed brilliantly by Paul McNamara here.  Read it and let Bruce get back to posting about bombs, the government and giant squids, won’t you?

Anyone else who took the bait (as Bruce designed, obviously) and actually attempted to argue against what was admittedly unarguable circuitous and rhetorical sets of disjointed constructs paid service and tribute to the process as designed.  There’s one born every minute.  Yes, this is a candidate for the "Captain Obvious Award" and Bruce is no dummy, but obviously some of us who read this stuff and treat everything as a literal next-action need to chill.

Obviously Bruce has made a career from IT Security — and he recently sold his company to another that hopes to do the same, so accept the piece for what it is: a provocation to challenge the status quo and improve Technorati ratings 😉

This piece was meant to agitate us, as was Art Coviello’s address at RSA wherein he stated that the security industry will cease to exist in 3 years.

Thinking about this stuff is good for business — in all senses.

/Hoff

Jeff Bardin over on the CSO blog pitched an interesting stake in the ground when he posited "Connectivity As A Utility: Where are My Clean Pipes?"

Specifically, Jeff expects that his (corporate?) Internet service functions in the same manner as his telephone service via something similar to a "do not call list."  Basically, he opts out by placing himself on the no-call list and telemarketers cease to call. Others might liken it to turning on a tap and getting clean, potable water; you pay for a utility and expect it to be usable.  All of it.

Many telecommunications providers want to charge you for having
clean pipes, deploying a suite of DDoS services that you have to buy to
enhance your security posture.   Protection of last mile bandwidth is
very key to network availability as well as confidentiality and
integrity. If I am subscribing for a full T1, shouldn’t I get the full
T1 as part of the price and not just a segment of the T1? Why do I have
to pay for the spam, probes, scans, and malicious activity that my
telecommunications service provider should prevent at 3 miles out
versus my having to subscribe to another service to attain clean pipes
at my doorstep?

I think that most people would agree with the concept of clean pipes in principle.  I can’t think of any other utility where the service levels delivered are taken with such a lackadaisical best effort approach and where the consumer can almost always expect that some amount (if not the majority) of the utility is unusable. 

Over the last year, I’ve met with many of the largest ISP’s, MSSP’s, TelCo’s and Mobile Operators on the planet and all are in some phase of deploying some sort of clean pipes variant.  Gartner even predicts a large amount of security to move "into the cloud."

In terms of adoption, EMEA is leaps and bounds ahead of the US and APAC in these sorts of services and will continue to be.  The relative oligopolies associated with smaller nation states allows for much more agile and flexible service definition and roll-outs — no less complex, mind you.  It’s incredible to see just how disparate and divergent the gap is between what consumers (SME/SMB/Mobile as well as large enterprise) are offered in EMEA as opposed to the good-ol’ U S of A.

However, the stark reality is that the implementation of clean pipes by your service provider(s) comes down to a balance of two issues: efficacy and economics, with each varying dramatically with the market being served; the large enterprise’s expectations and requirements look very, very different from the SME/SMB.

Let’s take a look at both of these elements.

ECONOMICS

If you ask most service providers about so-called clean pipes up to a year ago, you could expect to get an answer that was based upon a "selfish" initiative aimed at stopping wasteful bandwidth usage upstream in the service provider’s network, not really protecting the consumer. 

The main focus here is really on DDoS and viri/worm propagation.  Today, the closest you’ll come to "clean pipes" is usually some combination of the following services deployed both (still) at the customer premises as well as somewhere upstream:

• DoS/DDoS
• Anti-Virus
• Anti-Spam
• URL Filtering/Parental Controls
• Managed Firewall/IDS/IPS

What is interesting about these services is that they basically define the same functions you can now get in those small little UTM boxes that consolidate security functionality at the "perimeter."  The capital cost of these devices and the operational levies associated with their upkeep are pretty close in the SME/SMB and when you balance what you get in "good enough" services for this market as well as the overall availability of these "in the cloud" offerings, UTM makes more sense for many in the near term.

For the large enterprise, the story is different.  Outsourcing some level of security to an MSSP (or perhaps even the entire operation) or moving some amount upstream is a matter of core competence and leveraging the focus of having internal teams focus on the things that matter most while the low hanging fruit can be filtered out and monitored by someone else.  I describe that as filtering out the lumps.  Some enormous companies have outsourced not only their security functions but their entire IT operations and data center assets in this manner.  It’s not pretty, but it works.

I’m not sure they are any more secure than they were before, however.  The risk simply was transferred whilst the tolerance/appetite for it didn’t change at all.  Puzzling.

Is it really wrong to think that companies (you’ll notice I said companies, not "people" in the general sense) should pay for clean pipes?  I don’t think it is.  The reality is that for non-commercial subscribers such as home users, broadband or mobile users, some amount of bandwidth hygiene should be free — the potable water approach.

I think, however, that should a company which expects elevated service levels and commensurate guarantees of such, want more secure connectivity, they can expect to ante up.  Why?  Because the investment required to deliver this sort of service costs a LOT of money — both to spin up and to instantiate over time.  You’re going to have to pay for that somewhere.

I very much like Jeff’s statistics:

We stop on average for our organization nearly 600
million malicious emails per year at our doorstep averaging 2.8
gigabytes of garbage per day. You add it up and we are looking at
nearly a terabyte of malicious email we have to stop. Now add in probes
and scans against HTTP and HTTPS sites and the number continues to
skyrocket.

Again, even though Jeff’s organization isn’t small by any means, the stuff he’s complaining about here is really the low-hanging fruit.  It doesn’t bear a dent against the targeted, malicious and financially-impacting security threats that really demands a level of service no service provider will be able to deliver without a huge cost premium.

I won’t bore you with the details, but the level of high-availability,
resilience, performance, manageability, and provisioning required to
deliver even this sort of service is enormous.  Most vendors simply can’t do
it and most service providers are slow to invest in proprietary
solutions that won’t scale economically with the operational models in
place.

Interestingly, vendors such as McAfee even as recently as 2005 announced with much fanfare that they were going to deliver technology, services and a united consortium of participating service providers with the following lofty clean pipe goals (besides selling more product, that is):

The initiative is one
part of a major product and services push from McAfee, which is
developing its next generation of carrier-grade security appliances and
ramping up its enterprise security offerings with NAC and secure
content management product releases planned for the first half of next
year, said Vatsal Sonecha, vice president of market development and
strategic alliances at McAfee, in Santa Clara, Calif.

Clean Pipes will be a major expansion of McAfee’s managed
services offerings. The company will sell managed intrusion prevention;
secure content management; vulnerability management; malware
protection, including anti-virus, anti-spam and anti-spyware services;
and mobile device security, Sonecha said.

McAfee is working with Cable
and Wireless PLC, British Telecommunications PLC (British Telecom),
Telefónica SA and China Network Communications (China Netcom) to tailor
its offerings through an invitation-only group it calls the Clean Pipes
Consortium.

http://www.eweek.com/article2/0,1895,1855188,00.asp

Look at all those services!  What have they delivered as a service in the cloud or clean pipes?  Nada. 

The chassis-based products which were to deliver these services never materialized and neither did the services.  Why?  Because it’s really damned hard to do correctly.  Just ask Inkra, Nexi, CoSine, etc.  Or you can ask me.  The difference is, we’re still in business and they’re not.  It’s interesting to note that every one of those "consortium members" with the exception of Cable and Wireless are Crossbeam customers.  Go figure.

EFFICACY

Once the provider starts filtering at the ingress/egress, one must trust that the things being filtered won’t have an impact on performance — or confidentiality, integrity and availability.  Truth be told, as simple as it seems, it’s not just about raw bandwidth.  Service levels must be maintained and the moment something that is expected doesn’t make its way down the pipe, someone will be screaming bloody murder for "slightly clean" pipes.

Ask me how I know.  I’ve lived through inconsistent application of policies, non-logged protocol filtering, dropped traffic and asymmetric issues introduced by on-prem and in-the-cloud MSSP offerings.  Once the filtering moves past your prem. as a customer, your visibility does too.  Those fancy dashboards don’t do a damned bit of good, either.  Ever consider the forensic impact?

Today, if you asked a service provider what constitutes their approach to clean pipes, most will refer you back to the same list I referenced above:

• DoS/DDoS
• Anti-Virus
• Anti-Spam
• URL Filtering/Parental Controls
• Managed Firewall/IDS/IPS

The problem is that most of these solutions are disparate point products run by different business units at different parts of the network.  Most are still aimed at the perimeter service — it’s just that the perimeter has moved outward a notch in the belt.

Look, for the SME/SMB (or mobile user,) "good enough" is, for the most part, good
enough.  Having an upstream provider filter out a bunch of spam and
viri is a good thing and most firewall rules in place in the SME/SMB
block everything but a few inbound ports to DMZ hosts (if there are
any) and allow everything from the inside to go out.  Not very
complicated and it doesn’t take a rocket scientist to see how, from the
perspective of what is at risk, that this service doesn’t pay off
handsomely.

From the large enterprise I’d say that if you are going to expect that operational service levels will be met, think again.  What happens when you introduce web services, SOA and heavy XML onto externally-exposed network stubs.  What happens when Web2/3/4.x technologies demand more and more security layers deployed alongside the mechanics and messaging of the service?

You can expect issues and the lack of transparency will be an issue on all but the most simple of issues.

Think your third party due diligence requirements are heady now?  Wait until this little transference of risk gets analyzed when something bad happens — and it will.  Oh how quickly the pendulum will swing back to managing this stuff in-house again.

This model doesn’t scale and it doesn’t address the underlying deficiencies in the most critical elements of the chain: applications, databases and end-point threats such as co-opted clients as unwilling botnet participants.

But to Jeff’s point, if he didn’t have to spend money on the small stuff above, he could probably spend it elsewhere where he needs it most.

I think services in the cloud/clean pipes makes a lot of sense.  I’d sure as hell like to invest less in commoditizing functions at the perimeter and on my desktop.  I’m just not sure we’re going to get there anytime soon.

/Hoff

*Image Credit: CleanPipes

Read more…

Gunnar once again hits home with an excellent post defining what he calls the Security Architecture Blueprint (SAB):

The purpose of the security architecture blueprint is to bring focus to the key areas of
concern for the enterprise, highlighting decision criteria and context for each domain.
Since security is a system property it can be difficult for Enterprise Security groups to
separate the disparate concerns that exist at different system layers and to understand
their role in the system as a whole. This blueprint provides a framework for
understanding disparate design and process considerations; to organize architecture and
actions toward improving enterprise security.

I appreciated the graphical representation of the security architecture blueprint as it provides some striking parallels to the diagram that I created about a year ago to demonstrate a similar concept that I call the Unified Risk Management (URM) framework. 

(Ed.: URM focuses on business-driven information survivability architectures that describes as much risk tolerance as it does risk management.)

Here are both the textual and graphical representations of URM: 

Managing risk is fast becoming a lost art.  As the pace of technology’s evolution and adoption overtakes our ability to assess and manage its impact on the business, the overrun has created massive governance and operational gaps resulting in exposure and misalignment.  This has caused organizations to lose focus on the things that matter most: the survivability and ultimate growth of the business.

Overwhelmed with the escalation of increasingly complex threats, the alarming ubiquity of vulnerable systems and the constant onslaught of rapidly evolving exploits, security practitioners are ultimately forced to choose between the unending grind of tactical practices focused on deploying and managing security infrastructure versus the strategic art of managing and institutionalizing risk-driven architecture as a business process.

URM illustrates the gap between pure technology-focused information security infrastructure and business-driven, risk-focused information survivability architectures and show how this gap is bridged using sound risk management practices in conjunction with best of breed consolidated Unified Threat Management (UTM) solutions as the technology anchor tenant in a consolidated risk management model.

URM demonstrates how governance organizations, business stakeholders, network and security teams can harmonize their efforts to produce a true business protection and enablement strategy utilizing best of breed consolidated UTM solutions as a core component to effectively arrive at managing risk and delivering security as an on-demand service layer at the speed of business.  This is a process we call Unified Risk Management or URM.

The point of URM is to provide a holistic framework against which one may measure and effectively manage risk.  Each one of the blocks above has a set of sub-components that breaks out the specifics of each section.  Further, my thinking on URM became the foundation of my exploration of the Security Services Oriented Architecture (SSOA) model. 

You might also want to check out Skybox Security’s Security Risk Management (SRM) Blueprint, also.

Thanks again to Gunnar as I see some gaps that I have to think about based upon what I read in his SAB document.

/Hoff

In the April, 2007 edition of Network Computing magazine, Art Wittmann talks about server virtualization, its impact on data center consolidation and the overall drivers and benefits virtualization offers. 

What’s really interesting is that while he rambles on about the benefits of power, cooling and compute cycle-reclamation, he completely befuddled me with the following statement in which he suggests that:

    "While the security threat inherent in virtualization is
     real, it’s also overstated."

I’ll get to the meaty bits in a minute as to why I think this is an asinine comment, but first a little more background on the article.

In addition to illustrating everything wrong with the way in which IT has traditionally implemented security — bolting it on after the fact rather than baking it in — it shows the recklessness with which evangelizing the adoption of technology without an appropriate level of security is cavalierly espoused without an overall understanding of the impact of risk such a move creates.

Whittmann manages to do this with an attitude that seeks to suggest that the speed-bump security folks and evil vendors (or in his words: nattering nabobs of negativity) are just intent on making a mountain out of a molehill.

It seems that NWC approaches the evaluation of technology and products in terms of five areas: performance, manageability, scalability, reliability and security.  He lists how virtualization has proven itself in the first four categories, but oddly sums up the fifth category (security) by ranting not about the security things that should or have been done, but rather how it’s all overblown and a conspiracy by security folks to sell more kit and peddle more FUD:

"That leaves security as the final question.  You can bet that everyone who can make a dime on questioning the security of virtualization will be doing so; the drumbeat has started and is increasing in volume. 

…I think it’s funny that he’s intimating that we’re making this stuff up.  Perhaps he’s only read the theoretical security issues and not the practical.  While things like Blue Pill are sexy and certainly add sizzle to an argument, there are some nasty security issues that are unique to the virtualized world.  The drumbeat is increasing because these threats and vulnerabilities are real and so is the risk that companies that "just do it" are going to discover.

But while the security threat is real –and you should be concerned about it — it’s also overstated.  If you can eliminate 10 or 20 servers running outdated versions of NT in favor of a single consolidated pair of servers, the task of securing the environment should be simpler or at least no more complex.  If you’re considering a server consolidation project, do it.  Be mindful of security, but don’t be dissuaded by the nattering nabobs of negativity."

As far as I am concerned, this is irresponsible and reckless journalism and displays an ignorance of the impact that technology can have when implemented without appropriate security baked in. 

Look, if we don’t have security that works in non-virtualized environments, replicating the same mistakes in a virtualized world isn’t just as bad, it’s horrific.   While it should be simpler or at least no more complex, the reality is that it is not.  The risk model changes.  Threat vectors multiply.  New vulnerabilities surface.  Controls multiply.  Operational risk increases.

We end up right back where we started; with a mess that the lure of cost and time savings causes us to rush into without doing security right from the start.

Don’t just do it. Understand the risk associated with what a lack of technology, controls, process, and policies will have on your business before your held accountable for what Whittmann suggests you do today with reckless abandon.  Your auditors certainly will. 

/Hoff

Off-topic, non-security post.

My recent adventure involved climbing Mt. Meru and Mt. Kilimanjaro in Tanzania.  It was awesome.  I’m long overdue in blogging the event.

The reason that I and my 4 compadres decided to climb Kili was because of the "fact" that ultimately the glacial packs atop Kilimanjaro would shortly disappear.  Recent forecasts suggested that within 10 years they would be completely gone.

So, imagine my surprise when we summited in -25 degrees (F) to come face to face with this 100 foot tall monster @ nearly 20,000 feet.  It was truly an awesome  spectacle.

I was expecting a small bit of snow and some compacted ice forms.  I didn’t expect 80-100 foot glacial ice fields! 

Pair that with a current BBC article that suggests that ultimately the glaciers will be around for at least 30-40 years and while I’m not discounting the global warming effect, I am happy to note that these magnificent walls of ice will be here for at least a while longer.

This is great news.  I’m glad that it’s not as bad as was originally forecasted because it’s an awesome sight after 8 hours of the summit deathmarch slog; hopefully my kids will be able to join me if I do it again and we can see it together.

/Hoff

Saw this on Boing-Boing. Click on the picture.

There’s now no excuse for not shredding those unsolicited
credit card offers that show up in the mail.  This works on
report cards, too, kids!

It’s eco-friendly, makes its own bedding/toilet, entertains
your kids, able to turn vege-left overs into leveraged mechanical advantage, and gosh-darn it, it’s so damned cute!

That’s right, folks.  The coolest hack, evah!  Hamster-powered shredder!

That’s Web2.0, baby…

In the NY times this morning, I read an article titled "A Call for Manners in the World of Nasty Blogs" wherein the author posits whether it’s "…too late to bring civility to the Web?"  I found it online here.

Pairing this article with various allusions and outright claims that I’ve been less than "civil" lately in the manner in which I publicly interact with other security "professionals," especially when they let their butt hang out, I paused for a moment to contemplate the article and the underlying message it sought to communicate.

I further contemplated messages from fellow bloggers who want to encourage meaningful, supportive and positive dialogue within our community instead of provoking or otherwise poking those with whom we disagree.  I took this to heart and thought long and hard about this.

No, really.  I did.

I realized several things, denied about 6 others, and thought diligently about seeking therapy regarding my unhealthy obsession with gym socks and pickled herring.

I concluded a couple of things:

1. The Internet is indeed a "…prickly and unpleasant place."  There’s www.kittenwar.com where the vile mediator of all things cuddly and feline suggests "May the Cutest Kitten Win!" but I’m not sure that really counts.

 

2. There are two types of people in the world.  Those that blog and read blogs and those that visit www.kittenwar.com.

 

3. "Recent outbreaks of antagonism…" describes my encounters daily with my local Starbucks Barista.  Posting my opinion wherein someone lets their butt hang out is reasonable, warranted, sometimes juvenile and above all, fun.

 

4. The community that is the Internet is self-policing.  We kick ass when we need to and let the whole unregulated bunch ramble on as due course.  Sometimes people throw their toys out of the pram, but that happens in grade school — the Internet’s no different.

 

5. Mr. O’Reilly and Mr. Wales should stick to allowing and ensuring the freedom of speech, not refereeing it.   I didn’t vote for them.  Did you?

 

6. If, as Siskel and Eibert above get their way, I’ll have to rate my blog indicating "the principles…and what kind of behavior and dialogue [my blog will] will engage in.  I liken that to the L.A. County Dept. of Health certifications on restaurants…while you certainly have a CHOICE not to eat at a restaurant with a ‘D’ rating, you’d miss every fantastic Vietnamese Pho restaurant this side of Delaware just because of a little E-Coli.  Likewise, with this rating system, you’d miss all the best blogs out there!

 

7. Turn off anonymous blogging or weed through the posts.  Nobody said blogs were themselves administered as a democracy.  You don’t like it, delete it.  That’s an instantiation of free speech, too…mine.

 

8. Last time I looked, nobody tapes peoples eye’s open and makes them read my blog.  There is that group of folks in Gitmo, but they swear it’s just mild hazing.

 

9. It occurs to me that what seems to be at issue here is actually
   ANONYMOUS blogging.  Fine.  Turn the feature off.  Require registration
   and then  folks can face those that annoy them.

    

10. Civility is not the same thing as criminality or vulgarity, just to clear that up.

Just to be clear, the reaction by Mr’s. Wales and O’Reilly that were flamed by recent events are understandable, and the utter lunacy and despicable nature of the threats and taunts that Kathy Sierra endured are unconscionable.  Nobody deserves that sort of harassment when lines are crossed and physical violence is threatened.

Look, O’Reilly’s "Blogger Code of Conduct" isn’t all that bad, and quite honestly I abide by most of the "code" as a function of being a reasonable human being and a rational contributor.  Those items highlighted I find relevant, the rest, not so much:

• We take responsibility for our own words and for the comments we allow on our blog.
• We won’t say anything online that we wouldn’t say in person.
• We connect privately before we respond publicly.
• When we believe someone is unfairly attacking another, we take action.
• We do not allow anonymous comments.
• We ignore the trolls.

That said, whether "free speech is enhanced by civility" or not is irrelevant.  Free means unencumbered to me. In fact, here’s the Wikipedia definition of "Free Speech":

Freedom of speech is the concept of the inherent human right to voice one’s opinion publicly without fear of censorship or punishment. The right is enshrined in the United Nations Universal Declaration of Human Rights
and is granted formal recognition by the laws of most nations.
Nonetheless the degree to which the right is upheld in practice varies
greatly from one nation to another.

In many nations, particularly those
with relatively authoritarian forms of government, overt government censorship is enforced. Censorship has also been claimed to occur in other forms (see propaganda model) and there are different approaches to issues such as hate speech, obscenity, and defamation laws even in countries seen as liberal democracies.

I’d like it very much if we can just leave the "community" to self-police itself and not infringe on my ability to write what I like, when I like it about whomsoever I like to write about. 

That’s just my uncivil opinion.

[Ed. I found Tristan Louis’ dissection of O’Reilly’s draft "Blogger’s Code of Conduct" quite interesting.]

/Hoff

I’ve been doing a bit of writing and speaking on panels recently on the topic of virtualization and the impact that it has across the entire spectrum of risk; I think it’s fairly clear to most that virtualization impacts all aspects of the computing landscape, from the client to the data center and ultimately how securing virtualization by virtualizing security is important.

Gartner just released an interesting article that says "Organizations That Rush to Adopt Virtualization Can Weaken Security."   Despite the sensationalism that some people react to in the title, I think that the security issues they bring up are quite valid. 

I’m glad to see that this study almost directly reflects the talking points that we’ve been puttering on about without any glaring omissions as it validates the problem space; it doesn’t take a rocket scientist to state the obvious, but I hope we get solutions to these problems quickly. 

Granted these are fairly well-known issues but most folks have not looked deeply into how this affects their overall risk models:

Organizations must consider these security issues in virtualized
environments:

• Virtualization software, such as hypervisors, represent a new layer of privileged software that will be attacked and must be protected.
• The loss of separation of duties for administrative tasks, which can lead to a breakdown of defense in-depth.
• Patching, signature updates, and protection from tampering for offline VM and VM "appliance" images.
• Patching and secure confirmation management of VM appliances where the underlying OS and configuration are not accessible.
• Limited visibility into the host OS and virtual network to find vulnerabilities and assess correct configuration.
• Restricted view into inter-VM traffic for inspection by intrusion prevention systems (IPSs).
• Mobile VMs will require security policy and settings to migrate with them.
• Immature and incomplete security and management tools.

I’m going to be presenting something very similar at the ISSA Metro event in Charlotte on April 10th.  I’ll upload my presentation ahead of time for anyone who might find it useful or interesting.

/Hoff

CAUTION:  I use the words "Nostradramatic prescience" in this blog posting.  Anyone easily offended by such poetic buggery should stop reading now.  You have been forewarned.

That’s it.  I’ve had it.  I’ve taken some semi-humorous jabs at Mr. Stiennon before, but my contempt for what is just self-serving PFD (Pure F’ing Dribble) has hit an all time high.  This is, an out-and-out, smackdown.  I make no bones about it.

Richard is at it again.  It seems that stating the obvious and taking credit for it has become an art form. 

Richard expects to be congratulated for his prophetic statements that
are basically a told-you-so to any monkey dumb enough to rely only on
Network Admission Control (see below) as his/her only security defense.  Furthermore, he has the gaul to suggest that by obfuscating the bulk of the arguments made to the contradiction of his point, he wins by default and he’s owed some sort of ass-kissing:

And for my fellow bloggers who I rarely call out using my own blog:
are you ready to retract your "founded on quicksand" statements and
admit that you were wrong and Stiennon was right once again?  🙂

Firstly, there’s a REASON you "rarely call out" other people on your blog, Richard. It has something to do with a lack of frequency of actually being right, or more importantly others being wrong.  

I mean the rest of us poor ig’nant blogger folk just cower in the shadows of your earth-shattering predictions for 2007: Cybercrime is on the rise, identify theft is a terrible problem, attacks against financial services companies will increase and folks will upload illegal videos to YouTube. 

I’m sure the throngs of those who rise up against Captain Obvious are already sending their apology Hallmarks.  I’ll make sure to pre-send those congratulatory balloons now so I can save on shipping, eh?

Secondly, suggesting that others are wrong when you only present 1/10th of the debate is like watching two monkeys screw a football.  It’s messy, usually ends up with one chimp having all the fun and nobody will end up wanting to play ball again with the "winner."  Congratulations, champ.

What the heck am I talking about?  Way back when, a bunch of us had a debate concerning the utility of NAC.  More specifically, we had a debate about the utility, efficacy and value of NAC as part of an overall security strategy.  The debate actually started between Richard and Alan Shimmel. 

I waded in because I found them both to be right and both to be wrong.  What I suggested is that NAC by ITSELF is not effective and must be deployed as part of a well-structured layered defense.  I went so far as to  suggest that Richard’s ideas that the network ‘fabric’ could also do this by itself were also flawed.  Interestingly, we all agreed that trusting the end-point ALONE to report on its state and gain admission to the network was a flawed idea.

Basically, I suggested that securing one’s assets came down to common sense, the appropriate use of layered defense in both the infrastructure and on top of it and utilizing NAC when and how appropriate.  You know, rational security.

The interesting thing to come out of that debate is that to Richard, it became clear that the acronym "NAC" appeared to only mean Network ADMISSION Control.  Even more specifically, it meant Cisco’s version of Network ADMISSION Control.  Listen to the Podcast.  Read the blogs.  It’s completely one dimensional and unrealistic to group every single NAC product and compare it to Cisco.  He did this intentionally so as to prove an equally one dimensional point.  Everyone already knows that pre-admission control is nothing you solely rely on for assured secure connectivity.

To the rest of us who participated in that debate, NAC meant not only Network ADMISSION Control, but also Network ACCESS Control…and not just Cisco’s which we all concluded, pretty much sucked monkey butt.  The problem is that Richard’s assessment of (C)NAC is so myopic that he renders any argument concerning NAC (both) down to a single basal point that nobody actually made.

It goes something like this and was recorded thusly by his lordship himself from up on high on a tablet somewhere.  Richard’s "First Law of Network Security":

Thou shalt not trust an end point to report its own state

Well, no shit.  Really!?  Isn’t it more important to not necessarily trust that the state reported is accurate but take the status with a grain of salt and use it as a component of assessing the fitness of a host to participate as a citizen of the network?   Trust but verify?

Are there any other famous new laws of yours I should know about?  Maybe like:

Thou shalt not use default passwords
Thou shalt not click on hyperlinks in emails
Thou shalt not use eBanking apps on shared computers in Chinese Internet Cafes
Thou shalt not deploy IDS’ and not monitor them
Thou shalt not use "any any any allow" firewall/ACL rules
Thou shalt not allow SMTP relaying
Thou shalt not use the handle hornyhussy in the #FirewallAdminSingles IRC channel

{By the way, I think using the phrase ‘…shalt not’ is actually a double-negative?} [Ed: No, it’s not]

Today Richard blew his own horn to try and reinforce his Nostradramatic prescience when he commented on how presenters at Blackhat further demonstrated that you can spoof reporting compliance checks of an end-point to the interrogator using Cisco’s NAC product using a toolkit created to do just that. 

Oh, the horror!  You mean Malware might actually fake an endpoint into thinking it’s not compromised or spoof the compliance in the first place!?  What a novel idea.  Not.  Welcome to the world of amorphous polymorphic malware.  Been there, done that, bought the T-Shirt.  AV has been dealing with this for quite a while.  It ain’t new.  Bound to happen again.

Does it make NAC useless.  Nope.  Does it mean that we need greater levels of integrity checking and further in-depth validation of state.  Yep.   ‘Nuff said. 

Let me give you Hoff’s "First Law of Network Security" Blogging:

Thou shalt not post drivel bait, Troll.

It’s not as sexy sounding as yours, but it’s immutable, non-negotiable and 100% free of trans-fatty acids.

/Hoff

(Written from the lobby of the Westford Regency Hotel.  Drinking…nothing, unfortunately.)