Defense In Depth

June 9th, 2006

It occurs to me that I can put some points here to things I’ve been working on that might be of interest.

I wrote a white paper on Defense in Depth that I think is pretty good.

Download and read it at your leisure. Six Strategies for Defense in Depth

Here’s the Executive Summary:

Defense in depth is not a buzzword. Network managers are watching their perimeter firewalls drop in importance as the enterprise network extends across the country and around the world. Remote access and site-to-site VPN, extranet partners, and wireless mobility all are conspiring to turn easily encapsulated and firewalled networks into complex entities that cannot be protected at the edge. Add in the requirement to protect yourself from your own LAN and WAN users and create internal zones of security, and defense in depth has become standard marching orders for IT.

Turning the network inside out—making the network itself secure—is the critical strategy for enterprise security architects. Defense in depth is not a product, like a perimeter firewall. Instead, it is a security architecture that calls for the network to be aware and self-protective. In this white paper, we present the six key strategies for adding defense in depth to enterprise networks. At a technical level, we discuss the problems that need to be solved, the challenges network managers face in addressing these problems, and solution strategies you can incorporate today.

Although not every network faces the same challenges, the six strategies in this white paper can serve as guide posts for any security professional looking to implement defense in depth in an enterprise LAN:

Strategy 1: Authenticate and authorize all network users
Strategy 2: Deploy VLANs for traffic separation and coarse-grained security
Strategy 3: Use stateful firewall technology at the port level for fine-grained security
Strategy 4: Place encryption throughout network to ensure privacy
Strategy 5: Detect threats to the integrity of the network and remediate them
Strategy 6: Include end-point security in policy-based enforcement

Posted in Security | No Comments »

NAK on NAC? A Devil’s Advocate View

May 30th, 2006

Network Access Control, NAC, is a simple idea. Authenticate every user connecting to the network, then enforce an access control policy based on who they are and other environmental information, such as end point security checks and wired versus wireless access method. After writing a big architectural overview of Network Access Control (NAC) for Network World (see http://www.networkworld.com/research/2006/040306-nac-overview.html ) and testing NAC solutions at Interop in Las Vegas last month (see http://www.networkworld.com/research/2006/050106-ilabs-nac.html ), I’ve been exposed to the good and bad parts of NAC.

I’m personally very enthusiastic about NAC. But I’d like to devote some time to the devil’s advocate view of NAC. Because it’s very true that the NAC idea has five major failings, and we might as well discuss them.

1. End Point Security checks only work when you need them the least. When you need them the most, they leave you high and dry. If your NAC strategy is based on checking end point security posture, that works great for managed laptops and desktops, but our testing has shown not so well for people coming into the organization—the folks you have the greatest security concerns about. If you’re doing NAC to check that strangers have virus scanners loaded, you’re doing it for the wrong reason.

2. Generals are always preparing to fight the last war—not the next one. NAC is the same way. A lot of the rhetoric proposing NAC is reactionary—worrying about last week’s threats. That’s useful, but have you noticed that we haven’t had a huge, network-wide virus meltdown in a couple of years? That’s because we’re actually getting better at preventing these kinds of things. Sure, it’ll happen again, but the frequency and severity is dropping. Which brings us to …

3. The ROI on NAC is a big unknown. NAC is a lot of work. A lot. Even if your network infrastructure is ready for whichever NAC approach you want, getting NAC into place is not going to be cheap or easy. Is it worth it? You should probably calculate that before going down that path. There are lots of other ways to spend your security dollar. Maybe some will have a better ROI.

4. Too much information is sometimes just too much. One of the benefits of NAC is that it gives you the opportunity to set a policy for every single user. The problem is that organizations who are paralyzed by the concept of policy definition or who don’t know what is going on with their networks are not suddenly going to be able to come up with per-user or per-group network access control rules. You can use NAC in its most primitive “on if you authenticate, off if you don’t” mode, but if that’s all you want—save yourself a lot of bother and try a simpler solution.

5. You can only control what you see. If your NAC solution lets people get to officially permitted servers—and then the servers become jumping-off points to cruise the network, your policy just got a planet-sized hole punched in it. NAC is fancy, complex, and expensive, but just a component in the bigger picture of defense in depth.

Don’t let these points keep you from looking at NAC. But when you do look at NAC, keep your eyes and your mind open.

Posted in NAC, Security | No Comments »

Backup Tapes Keep Disappearing

April 8th, 2006

Data should be encrypted in transit. That’s the answer. Six words. This could be my shortest piece of advice I’ve ever given. When some company ships a pile of backup tapes from point A to point B, that’s “in transit.” Data on those tapes should be encrypted. Period. End of argument.

Let me put this another way. When people connect back to your network over the Internet, you’re using some kind of VPN, right? That would include encryption. You wouldn’t think of shutting down your IPsec or SSL VPN and going back to unencrypted PPTP, would you? “Of course not,” you say. Well, that’s data in transit. And they’re encrypted. Not because you think that anyone is necessarily trying to listen in. But just in case.

And it’s the same way with backup tapes that you plan to ship around. You can probably send tapes out every day, twice a day, even, for years and never lose a set. But you know what? As good as FedEx is, they’re going to lose one sooner or later. People lose things. It happens. And, just in case, the data should be encrypted. It’s cheap—there’s no excuse for not encrypting. By networking standards, tape drives are dog slow. Your average $300 home firewall will encrypt at 70 or 80 Mbps, nearly twice as fast as your typical DLT tape drive. And that dual CPU, 3.2 GHz server you’re using to drive the tape drives can do it without breaking a sweat.

What bothers me about this issue is the amazingly long rivers of text I’ve been seeing written by people who don’t get it about operations managers who should be fired. This is not a complex issue. This is a simple issue. I feel like Hemingway here. Encrypt your data.

Of course, I know why the tapes aren’t encrypted. It’s that status quo thing I wrote about last month. Operations managers have been directing backups for 10, maybe 20 years. Back then we never thought about the security of data on tapes and they’ve just never revisited the issue. The security team probably never thought to call up the operations team and ask about this topic.

But when the first lost backup tape story hit the news months ago, it should have shocked every single operations manager in the world into saying “I need to start encrypting data tomorrow.” Anyone who isn’t encrypting their backup tapes today needs to get fired tomorrow. There’s no excuse for not doing that today, other than incompetence.

Sure, if you want to do it right, there’s lots of details involved. Key management and escrow. Performance. Long-term compatibility. And those need to get solved. But you know what? You don’t have to do all that stuff if you just want to get started. You can click on the “Encrypt It” box in your backup software, put in a nice long password, and at least get started on the problem. You already have a procedure for managing passwords, right? A book, a vault, something like that? Use that, at least to start. Not being able to do it right on the first day is no excuse for not doing it at all.

Once we get those people out of the way, we can start in on the IT people who are passing out corporate laptops without encrypted hard drives. And a hint to the security team: if you’re not reaching into every corner of your company and asking these questions, your services could be “no longer required” shortly.

Posted in Security | No Comments »

The Security Status Quo is So Wrong

March 8th, 2006

I was at a customer last week helping them with a wireless rollout when the security person pulled a set of security requirements out of his back pocket. The goal of this wireless network was to support guest users: people who had come into the building for a day for a meeting or short project. The security requirements started with “disable SSID advertisement” and “use 128-bit WEP.” I rolled my eyes.

“What’s the point of this,” I asked? The security person had an answer: these are “best practices.” And then he proceeded to pull out a stack of white papers, articles, and web postings 3-inches thick that he had downloaded off the Internet and showed me, indeed: these are “best practices.” After all, you get 50 security people writing the same thing, you begin to believe it’s the right thing to do.

Unless, of course, it’s not. And that’s the problem with this bit of advice. We have way too many people writing as wireless security experts and way too few people actually thinking about wireless security and keeping up with the change both in the technology and how we use it. This problem isn’t unique to wireless security—it extends to every aspect of how we do security, and how we design networks.

What happens is that early thinking on how to build security becomes codified as law, largely by people who gather most of their knowledge by doing Google searches and writing white papers based on what they found other people saying first. SSID hiding is a great example. That was an interesting idea, back before the Airjack folks rubbed our noses in it and demonstrated how stupid it was—back in 2002. Nevertheless, people continue to pick up this same bit of lame advice and offer it as a primary requirement for secure wireless.

Yeah, it does provide security. Job security to your help desk people who will be continually explaining to people how to spell your SSID and enter WEP keys. Let’s not even get started with WEP. As Network World demonstrated last year, even brand new wireless APs cannot be trusted not to have old defects in them. The solution is to abandon WEP and use a security solution that doesn’t have the problems WEP does: 802.11i, also called WPA2.

We have become a community of parrots, repeating the same rules and arguments for doing things that have become “conventional wisdom.” As Mark Basinski, one of Cisco’s wisest souls puts it, “the problem with conventional wisdom is that it’s neither conventional, nor is it wisdom.” Mark is spot-on. We do things out of rote and without thinking about whether that’s still the right way to design and implement security.

Even sacred cows such as 3-port firewalls (“inside,” “outside,” and “DMZ”) need rethinking. Is that really the right way to do things? How many networks have a need for exactly three and only three security zones? Are we designing secure networks, or are we replicating the same network architecture that seemed right back in 1990?

Posted in Security | No Comments »

What is NAC?

February 25th, 2006

In a single-sentence: NAC is user-focused network-based access control.

The implications of that statement are fairly significant. Let’s break it apart and we’ll have a definition of NAC.

Start with “user-focused.” This term differentiates NAC from many other forms of access control, such as you might find in a typical firewall. While a firewall provides access control, most firewalls are designed to be destination focused: it’s not who you are, but what you want to get to that is most important. And when “who you are” is used in a firewall, it’s generally just a question of your IP address. NAC is different, because NAC is focused on the end user.

At a minimum, “user-focused” implies that users are authenticated and authorized. In other words, the policy expressed in the access control part of NAC (the user’s authorization) is based on who the user is, as determined by some authentication mechanism. I’m not going to say what kind of authentication is required here, because all of that depends on the enterprise’s requirements. Obviously, true user authentication (using username/password or some more secure method, such as digital certificates or tokens) is desirable, but a full-fledged NAC solution might include other authentication methods, including captive portals, MAC-based authentication, port-based authentication, and third-party authentication (such as a passed-in SAML assertion). However, I am going to say that a solution that has no authentication is not NAC. A network manager may choose not to use authentication, or even weak authentication (such as MAC addresses), but you have to offer that option to be in the game.

A second part of the term “user-focused” commonly found in NAC is the ability to include the user’s platform, along with the user’s identity, in the access control policy. Every NAC vendor has their own terminology here, but the general idea is that some assessment is made of the security posture of the user’s access device. The term we see a lot is “end-point security assessment,” although “system health check” also pops up a lot. I’m not fixated on terms, just functionality. The most common approach is to run some software on the user’s device which reports the security status of the device, such as whether virus software is up to date and enabled. However, other approaches, including external scans, are also fairly common. The choice of whether or not to use end-point security assessment is up to the network manager, but you have to include some aspects of it as an option.

NAC vendors have come up with a dizzying set of terms to differentiate their approaches to end-point posture assessment, trying to fit them into time-of-assessment (before authentication, during authentication, after authentication) and into continuity-of-assessment (once, or continuously) spectrums. While these differentiate products, I don’t believe that any one approach is required. Again, this is a place where an enterprise’s own policy and goals for NAC deployment will help to determine which end-point posture assessment strategy (if any) is right for them.

End-point posture assessment is actually just one piece of a larger part of user-focused access control I call “environmental” information. This includes posture assessment, but also other information which the NAC solution gathers from the environment, such as the access method (wireless, wired, VPN, for example) or the time of day or day of week.

“Network-based” means that this is something in the network itself. This seems obvious, but I have seen some vendors with client-enforced access controls calling those “NAC” solutions and I want to head that off right away. The enforcement must be in the network, somewhere. It could be at the point of entry (switch or VPN device) or it could be deeper, but it has to be within the network, not the client or the end host.

Again, I don’t want to say that these are “bad” technologies; I’m just saying that those are not NAC solutions. If you put the access control on the end system (either end), that’s a HAC (host-based access control), not a NAC. No jokes about hack, either, OK?

Finally “access control” means that you are controlling access by the end system, as always subject to the policy of the network manager. I don’t want to say that any particular degree of granularity is required to call yourself a NAC solution. I see four common scenarios: go/no-go access, VLAN-based access controls, simple packet filters, and stateful firewall. That doesn’t mean that you can’t have something in-between (although I’d be a bit hard-pressed to understand what that might be).

Note, however, that this does require user-focused access control. You can’t have NAC that doesn’t somehow apply policy based on who the user is. For example, I can easily imagine an IPS vendor re-titling their product a “NAC” product because it detects misbehavior and stops further traffic into the network. I am unwilling to call that a NAC product; we need to have user-focused access control.

This is not to say that you can’t throw an IPS into a NAC solution, and I can imagine many different ways in which this might be a useful piece of the big picture. However, to be a NAC solution, you must be applying access control based on who the user is (and not simply what traffic they are sending) to fit into this niche. There’s plenty of room for products with this loose definition, but we have to cut it off somewhere.

Posted in NAC, Security | No Comments »

From Good to Great

February 22nd, 2006

I just finished a project where I had to use a lot of different security products and I was struck at how different they are, and how much distance there is between good and merely average products.

Much of the time, people don’t decide to buy the best product; they buy the product that they like the best. Those are two very different things. What this means is that many companies have products that aren’t all that great—but they’re pretty happy with them, because they solve at least some problems, and they know how to use them, or they got a good deal, or their sales rep is really good looking or buys them lunch a lot.

I know I’m not going to change the mind of someone who knows the answer before they even ask the question of “what product should we use,” but I wanted to list four characteristics that, in my experience, really separate the great products from merely good ones.

Great products are self-documenting. It’s a rarity to find good documentation nowadays, which means that security products have to be designed to operate in a documentation-poor environment. Context-sensitive help, while a pain in the butt to build, is now a basic requirement for almost any product, and is always present in great products.

However, self-documenting doesn’t just mean context-sensitive documentation. It also means that the design of the product’s user interface makes it clear what the user is doing, and why, and what the effect will be, all without using product-specific jargon. A single extra sentence of explanation in the management interface can save an hour of searching through documentation to figure out what is really going on.

Great products have good logging and debugging output. (that’s two things, in case you’re keeping count.) I’ve never seen a product that didn’t require some troubleshooting, and the key to good troubleshooting is getting the information you need out of the debugging logs. When the logs are in a single place, and when the controls for searching and managing the logs are well put together, it’s easy to uncover what’s going on. When the logs are in 10 different places, in different formats, or (as I’ve seen recently) can’t even be viewed and have to be sent off to some external SYSLOG server, then debugging can be a nightmare.

There’s an art to writing good logging, and you’ll know a great product when you have to dig through the logs. Recently, in solving a problem I spent over an hour reading thousands of lines of logs that a not-very-great VPN product generated in a transaction that took less than a half-second to complete. It wasn’t logging; it was random debugging output that a half-literate developer had inserted to help fix his buggy code. On the other end of the VPN, though, was a great product that put out just 8 lines of logging, including a very clear pointer to where the problem was.

Great products are instrumented so that you can find out what you need to know. I’m continually astonished at how simple things you might want to know about a product are hard to find out. Questions like what’s the CPU load? How much bandwidth is being consumed? What are my outstanding critical alerts?

Security products especially have gone for the “dashboard” idea, trying to cram all kinds of status information into attractive pie charts that will look good in a demo—while not really helping the administrator answer the simple question “what is happening NOW?”

This is one of the more difficult attributes to see in casual use, because you’re often not sure what you care about until you’ve used a product for a while. But one thing is for sure: if you don’t see any status information, there’s something wrong. Many products err on the side of too much information.

I probably won’t convince you to change your buying or coding habits, but if you keep on the lookout for self-documentation, easy-to-use centralized logging, and meaningful status information, you’ll know whether you’re on the road with a good-enough product, or a truly great product.

Posted in Security, Testing | No Comments »

Why I don’t have a blog

January 16th, 2006

I don’t have a blog.

Blogs should be current, and frequently updated. I don’t have great thoughts every day. Or every week. Or sometimes every month. Rather than indulge in diarrhea of the keyboard, I’d rather publish good stuff when I can in magazines, white papers, and journals.

Blogs don’t seem to follow rules of civilized discourse. People say things about each other that they would never say to each other–not even in email. I don’t want to get sucked into that particular habit.

Blogs just seem too self-promotional for my taste. “Hey, everybody, look at me! Every day! I have a blog! And a Prius!” Whatever happened to modesty?

That’s just what I thought of for why I don’t have a blog.

Posted in Meta | No Comments »

Newer Entries »