You have a business (like a jewelry shop) which is open for business. How much security does that front door provide? I bet it may not even be locked. But you may have locked display cases, a separate vault, even a separate show room for qualified customers.
Unlike the store - you don't lock up your perimeter at night though - unless you change your firewall to Deny All at 5 PM - along with deprovisioning all phone lines, cutting the mains powers, etc.
Now tell me how secure the perimeter your home is even with the best door lock money can buy? (Those crazy locksmiths can get through the best in any case.) Oh wait... that is right you put bars on all of your windows and doors, you have reinforced your walls, you rekey all of the locks every few months, you search all guests before they enter your abode. Yeah, that front door lock is super effective. Criminals wouldn't dare approach your home.
Seriously - I wholly advocate personal hardware firewalls and PC based firewalls for all home users. They are so cheap and do offer a basic layer of security as well as reducing the noise of broadband connections.
Nice set of comments throughout - unfortunately my article is more of a Reader's Digest version of the situation - check out my post earlier today.
There is a lot of real value in monitoring that seems to finally be getting the attention of IT. There is a wealth of information in our firewall logs alone - but we haven't really applied good data mining tools yet.
A lot of the new event correlation tools look promising. Prelude is a nice open source framework. OpenService.com makes some interesting tools with good reporting and alerting capabilities - an approach they take that looks promising is to rate groups of events by risk rather than individual vulnerability.
Websense has done this rather successfully with their EIM product. Categorize activity by business effect (legal liability, productivity loss, etc) and then subcategorize into classes (spyware, hacker sites, etc). The serious stuff makes itself obvious in short order - the noise is separated out.
They are a great example of a consortium that is trying to evolve beyond perimeter security. Not a whole lot on their web site yet - but there is a book or two published.
They recently held their first US based conference in Ohio - but unfortunately I was unable to attend. I would love to know if anyone else had the opportunity.
But the hardened perimeter is becoming harder to maintain since business requirements require that we continually 'soften' it up.
Consider your example of DMZ based systems, why not move them inside to an internal DMZ and treat all users as untrusted?
Right now your DMZ sites between external untrusted users and internal trusted users - how about flipping the logical positions of DMZ and internal users?
We use N-tiers within our network (not just the DMZ).
Let's say we have a presentation layer with a web server that is responsible for serving up content to end users (those end users may be on the LAN and on the Internet - the network firewall wold permit TCP 80 traffic from any to the web server). Then we use ACLs to limit exposure of that server to any other systems except as explicity needed: perhaps J2EE access to a application layer server; access to domain servers; access to back up hosts. Then the application layer server have ACLs around it to allow J2EE access from the web server; maybe TCP 1433/ODBC to a back end database server, etc.
Since we will be using RFC internal addresses, as well as ingress/egress filters and do not permit source routing - then very little chance of IP spoofing internally.
These points go to some of the issues I am trying to raise:
"usability are generally higher on the internal network " This is changing in many corporate networks. People and systems on the outside are needing as much if not more access than other users in the inside.
"open file sharing services" This typifies the perimeter security model (not defense-in-depth) which has an internal network that is 'soft and checwy'. This model no longer works for many corporate networks.
"What about defense in depth?" This is what I am proposing (I don't claim that any of this is innovative - it is just that it gets more lip service than effort) - the firewalls are being asked to carry too much of the burden, the other layers are either non-existent of supremely weak.
"Getting rid of the firewalls" I am not saying we should do this but we should ask everyone to act as if this is the case. (This counters the mindset that says, we do defense in depth, we have a firewall! Or 'let someone else put in a layer of security, I'll be safe anyway")
My point isn't to replace firewalls by virtualizing servers - it acknowledges that many shops are adopting server virtualization and this is able to provide another layer of security if the security implications are considered.
This is fairly true in a typical packet filtering firewall. Application proxy firewalls were supposed to be more protocol aware - but the dirty little industry secret is that most application proxies were never developed and it is easy enough to tunnel any protocol inside a 'real' http packet.
For those of you who haven't totally uncloaked my conspiratorial attempts at world domination or my simply lame ass ideas, here are a few clarifications:
I wrote the article to inspire discussion among a broad audience and inspire attempts to harden the inside of corporate networks.
The Network Magazine column called 'Soapbox' requires a 650 word submission - my first attempt to write a concise summary yielded about 1500 words. Perhaps a better person would have refused to discuss such a topic with less than 1500 words, but I chose to balance idealism with pragmatism. Consequently the content got pretty hacked up and some points rose to a higher level of attention than originally desired. I have great respect for Network Magazine and I consider getting published in it an honor, and in order to have a piece published the topic should have a wide appeal, be interesting and perhaps be a bit provocative - the title reflects that.
For a Slashdot audience I certainly would not have composed an article this way since the subtleties would not get lost on a Slashdot readership. A more accurate description of the topic would be, 'stateful inspection network based firewalls are being given far too much credit for the security they and perimeter security in general can possibly bring to a system'. As several people have noted, I am not advocating that we should eliminate the perimeter or network firewall, but rather trying to get people to reconsider what it actually offers in the way of security - to sum it up concisely: it becomes a coarse grained noise filter. (In early drafts I tried to liken it to an RF choke.)
In an IT context, too many IT people who should know better see a firewall as a panacea. Threatening to remove the firewall gets their attention rather quickly. When I talk to our IT architects, managers and system admins I try to get them to work to create systems that are as reasonably secure in the environment in which we operate. If we are running an insecure desktop in an enterprise such as Windows 95 then there needs to be a wakeup call to get this situation changed. If we approach this as though we are living without a firewall, then the people responsible take a very different view of what needs to be done to correct the situation and we consider better alternatives. I am not advocating a specific solution rather an approach that views our internal network as being hostile rather than safe. I contend that there are viable solutions available to us today to build affordable and secure systems whereas many larger companies have adopted an attitude that we can live with the status of our internal networks as they exist today.
For those people that put a lot of faith in firewalls, I simply say that most significant threats go around the firewall (e.g., reverse proxies ala Adrian Lamo; war dialing; and access via VPNs and remote site penetration); go through firewalls (e.g., embedded content in e-mail; direct user downloaded content; XML vulnerabilities; and spyware) or simply exist within the internal network and don't need to consider the firewall (e.g., malicious employees; partnerships with organizations that don't respect our 'property' or are careless about handling access). For many companies the threat is already inside the walls - they just refuse to accept it.
So I don't foresee the network firewall going away, but it will continue to be less effective as we are required by the business to continue to create more permissive rules and see more channels that bypass it completely. We do need to create ways to put the protections closer to the stuff we are trying to protect.
I didn't touch on home networks, but this is an area I strongly advocate the use of simple and cheap hardware firewalls for most people. This is not just because home users have notoriously vulnerable systems and generally don't need to allow inbound connections but also for any system that has to deal with the noise coming from the Internet and all of the wasted processor interrupts th
Slashdot Mirror
How about an analogy that is applicable?
You have a business (like a jewelry shop) which is open for business. How much security does that front door provide? I bet it may not even be locked. But you may have locked display cases, a separate vault, even a separate show room for qualified customers.
Unlike the store - you don't lock up your perimeter at night though - unless you change your firewall to Deny All at 5 PM - along with deprovisioning all phone lines, cutting the mains powers, etc.
Now tell me how secure the perimeter your home is even with the best door lock money can buy? (Those crazy locksmiths can get through the best in any case.) Oh wait... that is right you put bars on all of your windows and doors, you have reinforced your walls, you rekey all of the locks every few months, you search all guests before they enter your abode. Yeah, that front door lock is super effective. Criminals wouldn't dare approach your home.
Seriously - I wholly advocate personal hardware firewalls and PC based firewalls for all home users. They are so cheap and do offer a basic layer of security as well as reducing the noise of broadband connections.
First I am Kevin Mitnick, then the 'other' Stuart Berman...
What's a simple network engineer to do?
Nice set of comments throughout - unfortunately my article is more of a Reader's Digest version of the situation - check out my post earlier today.
There is a lot of real value in monitoring that seems to finally be getting the attention of IT. There is a wealth of information in our firewall logs alone - but we haven't really applied good data mining tools yet.
A lot of the new event correlation tools look promising. Prelude is a nice open source framework. OpenService.com makes some interesting tools with good reporting and alerting capabilities - an approach they take that looks promising is to rate groups of events by risk rather than individual vulnerability.
Websense has done this rather successfully with their EIM product. Categorize activity by business effect (legal liability, productivity loss, etc) and then subcategorize into classes (spyware, hacker sites, etc). The serious stuff makes itself obvious in short order - the noise is separated out.
They are a great example of a consortium that is trying to evolve beyond perimeter security. Not a whole lot on their web site yet - but there is a book or two published.
They recently held their first US based conference in Ohio - but unfortunately I was unable to attend. I would love to know if anyone else had the opportunity.
No I'm not... 8p
My point is - what will it take to get that environment changed? (Unless it is a totally trivial set of systems that can do no outbound harm).
Why are you tolerating NetBIOS and permissive shares?
I am not saying that we ditch the perimeter.
But the hardened perimeter is becoming harder to maintain since business requirements require that we continually 'soften' it up.
Consider your example of DMZ based systems, why not move them inside to an internal DMZ and treat all users as untrusted?
Right now your DMZ sites between external untrusted users and internal trusted users - how about flipping the logical positions of DMZ and internal users?
Not sure I follow where you are going on this...
We use N-tiers within our network (not just the DMZ).
Let's say we have a presentation layer with a web server that is responsible for serving up content to end users (those end users may be on the LAN and on the Internet - the network firewall wold permit TCP 80 traffic from any to the web server).
Then we use ACLs to limit exposure of that server to any other systems except as explicity needed: perhaps J2EE access to a application layer server; access to domain servers; access to back up hosts.
Then the application layer server have ACLs around it to allow J2EE access from the web server; maybe TCP 1433/ODBC to a back end database server, etc.
Since we will be using RFC internal addresses, as well as ingress/egress filters and do not permit source routing - then very little chance of IP spoofing internally.
These points go to some of the issues I am trying to raise:
"usability are generally higher on the internal network "
This is changing in many corporate networks. People and systems on the outside are needing as much if not more access than other users in the inside.
"open file sharing services"
This typifies the perimeter security model (not defense-in-depth) which has an internal network that is 'soft and checwy'. This model no longer works for many corporate networks.
"What about defense in depth?"
This is what I am proposing (I don't claim that any of this is innovative - it is just that it gets more lip service than effort) - the firewalls are being asked to carry too much of the burden, the other layers are either non-existent of supremely weak.
"Getting rid of the firewalls"
I am not saying we should do this but we should ask everyone to act as if this is the case. (This counters the mindset that says, we do defense in depth, we have a firewall! Or 'let someone else put in a layer of security, I'll be safe anyway")
My point isn't to replace firewalls by virtualizing servers - it acknowledges that many shops are adopting server virtualization and this is able to provide another layer of security if the security implications are considered.
This is fairly true in a typical packet filtering firewall. Application proxy firewalls were supposed to be more protocol aware - but the dirty little industry secret is that most application proxies were never developed and it is easy enough to tunnel any protocol inside a 'real' http packet.
Yes, I am. But I would call Tom a global security strategist.
For those of you who haven't totally uncloaked my conspiratorial attempts at world domination or my simply lame ass ideas, here are a few clarifications:
I wrote the article to inspire discussion among a broad audience and inspire attempts to harden the inside of corporate networks.
The Network Magazine column called 'Soapbox' requires a 650 word submission - my first attempt to write a concise summary yielded about 1500 words. Perhaps a better person would have refused to discuss such a topic with less than 1500 words, but I chose to balance idealism with pragmatism. Consequently the content got pretty hacked up and some points rose to a higher level of attention than originally desired. I have great respect for Network Magazine and I consider getting published in it an honor, and in order to have a piece published the topic should have a wide appeal, be interesting and perhaps be a bit provocative - the title reflects that.
For a Slashdot audience I certainly would not have composed an article this way since the subtleties would not get lost on a Slashdot readership. A more accurate description of the topic would be, 'stateful inspection network based firewalls are being given far too much credit for the security they and perimeter security in general can possibly bring to a system'. As several people have noted, I am not advocating that we should eliminate the perimeter or network firewall, but rather trying to get people to reconsider what it actually offers in the way of security - to sum it up concisely: it becomes a coarse grained noise filter. (In early drafts I tried to liken it to an RF choke.)
In an IT context, too many IT people who should know better see a firewall as a panacea. Threatening to remove the firewall gets their attention rather quickly. When I talk to our IT architects, managers and system admins I try to get them to work to create systems that are as reasonably secure in the environment in which we operate. If we are running an insecure desktop in an enterprise such as Windows 95 then there needs to be a wakeup call to get this situation changed. If we approach this as though we are living without a firewall, then the people responsible take a very different view of what needs to be done to correct the situation and we consider better alternatives. I am not advocating a specific solution rather an approach that views our internal network as being hostile rather than safe. I contend that there are viable solutions available to us today to build affordable and secure systems whereas many larger companies have adopted an attitude that we can live with the status of our internal networks as they exist today.
For those people that put a lot of faith in firewalls, I simply say that most significant threats go around the firewall (e.g., reverse proxies ala Adrian Lamo; war dialing; and access via VPNs and remote site penetration); go through firewalls (e.g., embedded content in e-mail; direct user downloaded content; XML vulnerabilities; and spyware) or simply exist within the internal network and don't need to consider the firewall (e.g., malicious employees; partnerships with organizations that don't respect our 'property' or are careless about handling access). For many companies the threat is already inside the walls - they just refuse to accept it.
So I don't foresee the network firewall going away, but it will continue to be less effective as we are required by the business to continue to create more permissive rules and see more channels that bypass it completely. We do need to create ways to put the protections closer to the stuff we are trying to protect.
I didn't touch on home networks, but this is an area I strongly advocate the use of simple and cheap hardware firewalls for most people. This is not just because home users have notoriously vulnerable systems and generally don't need to allow inbound connections but also for any system that has to deal with the noise coming from the Internet and all of the wasted processor interrupts th