Rational Survivability

A benefit of a show such as Infosec UK is that one is given the opportunity to organize customer meetings and very unique roundtables because everyone clusters around the show.

Last year we organized a really interesting roundtable discussion with 13 of the UK’s most compelling members of the financial services and telco/service provider industries.  This year we did another similar event with equal representation from industry.

The agenda of this meeting revolves around a central topic about which the group first introduces one another and then adds color and experiential commentary regarding the issue at hand.  The interesting thing is that by the time the "introductions" are complete, we’ve all engaged in fantastic discussion with most people sharing key experiential data and debate that has stretched the time allotment of the event.

This year’s topic was "The Operational Impact of Virtualizing Security."  It was a fascinating topic for me since I was quite interested in seeing how virtualized security was taking hold in these organizations and how operationalizing security was impacted by virtualizing it.

Virtualization (in the classic data center consolidation via virtual machine implementations) is ultimately fueled by two things: the reclamation and reduction of spending (a) time and (b) money.  In the large enterprise it’s about less boxes and services on demand to serve the business.  With Telcos/Mobile Operators/Service Providers it’s about increasing the average revenue per subscriber/customer and leveraging common infrastructure to deliver security as a service (for fun and profit.)

The single largest differentiator between the two (or so) markets really boils down to scale; how many things are you trying to protect and at what cost.  Novel idea, eh?

It was evident that those considering virtualizing their security were motivated primarily by the same criteria, but in many cases politics, religion, regulatory requirements, imprecise use cases, bad (or non-existent) metrics, not aligning security to the business goals, fear and also some very real concerns from the security or network "purists" dramatically impacted people’s opinions regarding whether or not to virtualize their security architecture.

In most cases, it became evident that the most critical issues related to separation of duties, single points of failure, transparency (or lack thereof) fault-isolation domains, silos of administration, and the fact that many of the largest networks on the planet are largely still "flat" which makes virtualization hard. There were some hefty visualization and management concerns, but almost none of the issues were really technical.

I related a story wherein I had to spend an hour on the phone trying to convince some senior security folks at a very large company that VLANs, while they could be misconfigured and misused like any other technology, were not inherently evil.  Imagine the fun involved when I recounted the virtualization of transport, policy and security applications across a cluster of load-balanced application processing modules in a completely virtualized overlaid security services layer!

So, what the discussion boiled down to was that the operational impact of virtualizing security is compelling on many fronts, especially when discussing the economics of time and money.  When it came to downsides, most were the same old song of the fact that with the size of the Fortune 2000, where budgets are certainly larger than anywhere else, it’s still "easier" to just deploy single function boxes because one doesn’t need to think, organize differently, re-architect or buffer the status quo. 

It takes more than a simple firewall refresh to start thinking differently about how, why and where we deploy security.   Sometimes one has to think outside the box, and other times it just takes redefining what the box looks like in the first place.

/Hoff

In the April, 2007 edition of Network Computing magazine, Art Wittmann talks about server virtualization, its impact on data center consolidation and the overall drivers and benefits virtualization offers. 

What’s really interesting is that while he rambles on about the benefits of power, cooling and compute cycle-reclamation, he completely befuddled me with the following statement in which he suggests that:

    "While the security threat inherent in virtualization is
     real, it’s also overstated."

I’ll get to the meaty bits in a minute as to why I think this is an asinine comment, but first a little more background on the article.

In addition to illustrating everything wrong with the way in which IT has traditionally implemented security — bolting it on after the fact rather than baking it in — it shows the recklessness with which evangelizing the adoption of technology without an appropriate level of security is cavalierly espoused without an overall understanding of the impact of risk such a move creates.

Whittmann manages to do this with an attitude that seeks to suggest that the speed-bump security folks and evil vendors (or in his words: nattering nabobs of negativity) are just intent on making a mountain out of a molehill.

It seems that NWC approaches the evaluation of technology and products in terms of five areas: performance, manageability, scalability, reliability and security.  He lists how virtualization has proven itself in the first four categories, but oddly sums up the fifth category (security) by ranting not about the security things that should or have been done, but rather how it’s all overblown and a conspiracy by security folks to sell more kit and peddle more FUD:

"That leaves security as the final question.  You can bet that everyone who can make a dime on questioning the security of virtualization will be doing so; the drumbeat has started and is increasing in volume. 

…I think it’s funny that he’s intimating that we’re making this stuff up.  Perhaps he’s only read the theoretical security issues and not the practical.  While things like Blue Pill are sexy and certainly add sizzle to an argument, there are some nasty security issues that are unique to the virtualized world.  The drumbeat is increasing because these threats and vulnerabilities are real and so is the risk that companies that "just do it" are going to discover.

But while the security threat is real –and you should be concerned about it — it’s also overstated.  If you can eliminate 10 or 20 servers running outdated versions of NT in favor of a single consolidated pair of servers, the task of securing the environment should be simpler or at least no more complex.  If you’re considering a server consolidation project, do it.  Be mindful of security, but don’t be dissuaded by the nattering nabobs of negativity."

As far as I am concerned, this is irresponsible and reckless journalism and displays an ignorance of the impact that technology can have when implemented without appropriate security baked in. 

Look, if we don’t have security that works in non-virtualized environments, replicating the same mistakes in a virtualized world isn’t just as bad, it’s horrific.   While it should be simpler or at least no more complex, the reality is that it is not.  The risk model changes.  Threat vectors multiply.  New vulnerabilities surface.  Controls multiply.  Operational risk increases.

We end up right back where we started; with a mess that the lure of cost and time savings causes us to rush into without doing security right from the start.

Don’t just do it. Understand the risk associated with what a lack of technology, controls, process, and policies will have on your business before your held accountable for what Whittmann suggests you do today with reckless abandon.  Your auditors certainly will. 

/Hoff

Mike Rothman reiterated his position on SIM/SEM tools the other day.  You may agree, you may not.

I took this picture a while ago at a location I won’t disclose as I walked into the facilities as a visitor.

Please don’t hold me accountable for either the state of the log consolidator (below) or its efficacy.  It would appear that this particular appliance is suffering from some sort of buffer overflow as the container is suffering from a lack of flush.

I find it apropos (if not somewhat disturbing):

I’m not sure Anton Chuvakin’s going to like this 😉

/Hoff

I’ll be in the UK all of next week (April 23rd-April 27th) for the InfoSec UK show.  I suppose this means that we’ve run out of anyone interesting, good looking or knowledgeable to send?

Crossbeam will be at Stand # G153

If anyone wants to get together for a chat, a pint or a good old-fashioned dust-up, let me know.  My mobile works in the UK, so ring me if you have the number…if not, find someone who does 😉

Ping me via email (hoff [@] crossbeamsys.com) and we’ll get together for any of the above.  I’m dying for some good Curry.

/Hoff

Off-topic, non-security post.

My recent adventure involved climbing Mt. Meru and Mt. Kilimanjaro in Tanzania.  It was awesome.  I’m long overdue in blogging the event.

The reason that I and my 4 compadres decided to climb Kili was because of the "fact" that ultimately the glacial packs atop Kilimanjaro would shortly disappear.  Recent forecasts suggested that within 10 years they would be completely gone.

So, imagine my surprise when we summited in -25 degrees (F) to come face to face with this 100 foot tall monster @ nearly 20,000 feet.  It was truly an awesome  spectacle.

I was expecting a small bit of snow and some compacted ice forms.  I didn’t expect 80-100 foot glacial ice fields! 

Pair that with a current BBC article that suggests that ultimately the glaciers will be around for at least 30-40 years and while I’m not discounting the global warming effect, I am happy to note that these magnificent walls of ice will be here for at least a while longer.

This is great news.  I’m glad that it’s not as bad as was originally forecasted because it’s an awesome sight after 8 hours of the summit deathmarch slog; hopefully my kids will be able to join me if I do it again and we can see it together.

/Hoff

I really look forward to reading Gunnar Peterson’s blog.  He’s got a fantastic writing style and communicates in an extremely effective form about one of my favorite topics SOA and security. His insightful posts really get to the point in a witty and meaningful way.  I’m going to try to make one of the OWASP meetings he is presenting at soon.

Gunnar made a fantastic post commenting on Arnon Rotem-Gal-Oz‘s writings on Service Firewall Patterns, but within the context of this discussion, his comments regarding the misalignment of developers, network folks, security practitioners and enterprise architects is well said:

One of my issues with common practice of enterprise architecture is
that they frequently do not deep dive into security issues, instead
focusing scalability, detailed software design, and so on. But here is
the thing – the security people don’t know enough about software
design, and the software people don’t know enough about security to
really help out.

Sadly, this is very true.  It goes back to the same line of commentary I’ve also made in this regard.  The complexity of security is rising unchecked and all the policy in the world isn’t going to help when the infrastructure is not capable of solving the problem and neither are the people who administer it.

Add to this the reality that many security mechanisms
cannot make a business case as a one off project, but need to be part
of core infrastructure to be economic, and wel[l], you get the situation
we have today.

Exactly.  While this may not have been Gunnar’s intention, this description of why embedding security functionality into the "network" and expecting packet jockeys to apply a level of expertise they don’t have to solving security problems "in the network" as a result of economic cram-down is going to fail.

The architects define the "what", and unless security is
one of those whats, it is not feasible to make the case for many
specialized security services at a project by project level. This is
why, enterprise architects that enable increased integration within and
across enterprises, must also invest time and resources in revamping
security services that enable this to be done in a reliable fashion.

…but sadly to Gunnar’s point above, just as security people don’t know enough about software design and software people don’t know enough about security, enterprise architects often don’t know what they don’t know about networking or security.  The problem is systemic and even with the best intentions in mind, an architect rarely gets the opportunity to ensure that after the blueprints are handed down, that the "goals" for security are realized in an operational model consistent with the desired outcome.

I’m going to post separately on Rotem-Gal-Oz’s Service Firewall Pattern shortly as there are tremendous synergies between what he suggests we should do and, strangely, the exact model we use to provide a security service layer (in virtualized gateway form) to provide this very thing.

/Hoff

Saw this on Boing-Boing. Click on the picture.

There’s now no excuse for not shredding those unsolicited
credit card offers that show up in the mail.  This works on
report cards, too, kids!

It’s eco-friendly, makes its own bedding/toilet, entertains
your kids, able to turn vege-left overs into leveraged mechanical advantage, and gosh-darn it, it’s so damned cute!

That’s right, folks.  The coolest hack, evah!  Hamster-powered shredder!

That’s Web2.0, baby…

In the NY times this morning, I read an article titled "A Call for Manners in the World of Nasty Blogs" wherein the author posits whether it’s "…too late to bring civility to the Web?"  I found it online here.

Pairing this article with various allusions and outright claims that I’ve been less than "civil" lately in the manner in which I publicly interact with other security "professionals," especially when they let their butt hang out, I paused for a moment to contemplate the article and the underlying message it sought to communicate.

I further contemplated messages from fellow bloggers who want to encourage meaningful, supportive and positive dialogue within our community instead of provoking or otherwise poking those with whom we disagree.  I took this to heart and thought long and hard about this.

No, really.  I did.

I realized several things, denied about 6 others, and thought diligently about seeking therapy regarding my unhealthy obsession with gym socks and pickled herring.

I concluded a couple of things:

1. The Internet is indeed a "…prickly and unpleasant place."  There’s www.kittenwar.com where the vile mediator of all things cuddly and feline suggests "May the Cutest Kitten Win!" but I’m not sure that really counts.

 

2. There are two types of people in the world.  Those that blog and read blogs and those that visit www.kittenwar.com.

 

3. "Recent outbreaks of antagonism…" describes my encounters daily with my local Starbucks Barista.  Posting my opinion wherein someone lets their butt hang out is reasonable, warranted, sometimes juvenile and above all, fun.

 

4. The community that is the Internet is self-policing.  We kick ass when we need to and let the whole unregulated bunch ramble on as due course.  Sometimes people throw their toys out of the pram, but that happens in grade school — the Internet’s no different.

 

5. Mr. O’Reilly and Mr. Wales should stick to allowing and ensuring the freedom of speech, not refereeing it.   I didn’t vote for them.  Did you?

 

6. If, as Siskel and Eibert above get their way, I’ll have to rate my blog indicating "the principles…and what kind of behavior and dialogue [my blog will] will engage in.  I liken that to the L.A. County Dept. of Health certifications on restaurants…while you certainly have a CHOICE not to eat at a restaurant with a ‘D’ rating, you’d miss every fantastic Vietnamese Pho restaurant this side of Delaware just because of a little E-Coli.  Likewise, with this rating system, you’d miss all the best blogs out there!

 

7. Turn off anonymous blogging or weed through the posts.  Nobody said blogs were themselves administered as a democracy.  You don’t like it, delete it.  That’s an instantiation of free speech, too…mine.

 

8. Last time I looked, nobody tapes peoples eye’s open and makes them read my blog.  There is that group of folks in Gitmo, but they swear it’s just mild hazing.

 

9. It occurs to me that what seems to be at issue here is actually
   ANONYMOUS blogging.  Fine.  Turn the feature off.  Require registration
   and then  folks can face those that annoy them.

    

10. Civility is not the same thing as criminality or vulgarity, just to clear that up.

Just to be clear, the reaction by Mr’s. Wales and O’Reilly that were flamed by recent events are understandable, and the utter lunacy and despicable nature of the threats and taunts that Kathy Sierra endured are unconscionable.  Nobody deserves that sort of harassment when lines are crossed and physical violence is threatened.

Look, O’Reilly’s "Blogger Code of Conduct" isn’t all that bad, and quite honestly I abide by most of the "code" as a function of being a reasonable human being and a rational contributor.  Those items highlighted I find relevant, the rest, not so much:

• We take responsibility for our own words and for the comments we allow on our blog.
• We won’t say anything online that we wouldn’t say in person.
• We connect privately before we respond publicly.
• When we believe someone is unfairly attacking another, we take action.
• We do not allow anonymous comments.
• We ignore the trolls.

That said, whether "free speech is enhanced by civility" or not is irrelevant.  Free means unencumbered to me. In fact, here’s the Wikipedia definition of "Free Speech":

Freedom of speech is the concept of the inherent human right to voice one’s opinion publicly without fear of censorship or punishment. The right is enshrined in the United Nations Universal Declaration of Human Rights
and is granted formal recognition by the laws of most nations.
Nonetheless the degree to which the right is upheld in practice varies
greatly from one nation to another.

In many nations, particularly those
with relatively authoritarian forms of government, overt government censorship is enforced. Censorship has also been claimed to occur in other forms (see propaganda model) and there are different approaches to issues such as hate speech, obscenity, and defamation laws even in countries seen as liberal democracies.

I’d like it very much if we can just leave the "community" to self-police itself and not infringe on my ability to write what I like, when I like it about whomsoever I like to write about. 

That’s just my uncivil opinion.

[Ed. I found Tristan Louis’ dissection of O’Reilly’s draft "Blogger’s Code of Conduct" quite interesting.]

/Hoff

Besides having the single largest collection of vendors that begin with the letter ‘V" in one segment of the security space (Vontu, Vericept, Verdasys, Vormetric…what the hell!?) it’s interesting to see how quickly content monitoring and protection functionality is approaching the inflection point of market versus feature definition.

The "evolution" of the security market marches on.

Known by many names, what I describe as content monitoring and protection (CMP) is also known as extrusion prevention, data leakage or intellectual property management toolsets.  I think for most, the anchor concept of digital rights management (DRM) within the Enterprise becomes glue that makes CMP attractive and compelling; knowing what and where your data is and how its distribution needs to be controlled is critical.

The difficulty with this technology is the just like any other feature, it needs a delivery mechanism.  Usually this means yet another appliance; one that’s positioned either as close to the data as possible or right back at the perimeter in order to profile and control data based upon policy before it leaves the "inside" and goes "outside."

I made the point previously that I see this capability becoming a feature in a greater amalgam of functionality;  I see it becoming table stakes included in application delivery controllers, FW/IDP systems and the inevitable smoosh of WAF/XML/Database security gateways (which I think will also further combine with ADC’s.)

I see CMP becoming part of UTM suites.  Soon.

That being said, the deeper we go to inspect content in order to make decisions in context, the more demanding the requirements for the applications and "appliances" that perform this functionality become.  Making line speed decisions on content, in context, is going to be difficult to solve. 

CMP vendors are making a push seeing this writing on the wall, but it’s sort of like IPS or FW or URL Filtering…it’s going to smoosh.

Websense acquired PortAuthority.  McAfee acquired Onigma.  Cisco will buy…?

/Hoff

I’ve been doing a bit of writing and speaking on panels recently on the topic of virtualization and the impact that it has across the entire spectrum of risk; I think it’s fairly clear to most that virtualization impacts all aspects of the computing landscape, from the client to the data center and ultimately how securing virtualization by virtualizing security is important.

Gartner just released an interesting article that says "Organizations That Rush to Adopt Virtualization Can Weaken Security."   Despite the sensationalism that some people react to in the title, I think that the security issues they bring up are quite valid. 

I’m glad to see that this study almost directly reflects the talking points that we’ve been puttering on about without any glaring omissions as it validates the problem space; it doesn’t take a rocket scientist to state the obvious, but I hope we get solutions to these problems quickly. 

Granted these are fairly well-known issues but most folks have not looked deeply into how this affects their overall risk models:

Organizations must consider these security issues in virtualized
environments:

• Virtualization software, such as hypervisors, represent a new layer of privileged software that will be attacked and must be protected.
• The loss of separation of duties for administrative tasks, which can lead to a breakdown of defense in-depth.
• Patching, signature updates, and protection from tampering for offline VM and VM "appliance" images.
• Patching and secure confirmation management of VM appliances where the underlying OS and configuration are not accessible.
• Limited visibility into the host OS and virtual network to find vulnerabilities and assess correct configuration.
• Restricted view into inter-VM traffic for inspection by intrusion prevention systems (IPSs).
• Mobile VMs will require security policy and settings to migrate with them.
• Immature and incomplete security and management tools.

I’m going to be presenting something very similar at the ISSA Metro event in Charlotte on April 10th.  I’ll upload my presentation ahead of time for anyone who might find it useful or interesting.

/Hoff