3/16/04

Security Redux

Something is going on in the network security world. It seems that we keep talking about the same old stuff. Let me give you some examples.
  • Certification. Are certifications important? When and why or why not? Which ones?
  • Viruses. Email- and other-carried worms and viruses.
  • Buffer overflows and secure programming. Also, the execution of arbitrary code. (Well, not arbitrary -- code that the "attacker" wants you to execute.)
  • Usability versus security.
  • Importance of security policies.
  • Strong user authentication in lieu of reusable passwords (for goodness sake).
  • Log analysis tools (and the need for common {firewall, IDS, whatever} log formats.
  • The need for vulnerability analysis scanning.
  • Proxy versus filtering firewalls.
  • And what is this Intrusion Prevention stuff?
Are all (or most) of these things important? Sure. Is there anything new to say about them? Well... not really. Okay, maybe. Let's take a closer look.

Recently, on the firewall-wizards mailing list was a discussion with the subject "Evolution of Firewalls." (You can find the archive here/.) It was short and started innocently, but disclosed the amount of knowledge that is lost over time, and the willingness of people to press on, even without that historical knowledge. This particular thread started with comparing "Stateful Deep Inspection firewall" technology and application proxy technology, as if there was a significant difference. Marketers -- and some security experts -- talk about "deep packet inspection" and "application intelligence" as if they are new ideas. (See my column "Debunking the Firewall Hype" here.)

The March 2004 Information Security Magazine has a lead article called "Proxy vs. Packet Filter." (See this url.) It is written by IP, VPN, and now firewall expert Joel Snyder. There is also a bake-off between firewall vendors in the same issue. Joel is an excellent writer and tester (and teacher). Also an all-around nice-guy. (This isn't a problem with Joel.) But this article, and the firewall-wizards list thread, might give clues to the problem: we lack a technological memory, or the one we have is faulty.

For example, the tension was never between proxy firewalls and filtering firewalls. No one ever doubted that proxies were better than packet filters. No one doubted -- after the Morris Worm -- that static packetfiltering was insufficient. (And this is an example of this loss of history thing -- some reading this do not remember the Morris Worm.) The argument was between "Stateful Inspection" (a Check Point invention) and application proxy firewalls (a Marcus Ranum invention... and yes, yes it was). Is this "memory" important? Of course it is. No one suggests that Stateful Inspection was not a significant improvement. But it is not, the same thing as "dynamic packet filtering," the correct name for the technology that "is built into $99 SOHO devices." Like a game of telephone (if you don't know this game, look up "game of telephone" in a search engine), information is lost, but we continue the game unaware or unperturbed.

So, let's settle all these burning issues now, once and for all. (That statement is tongue-in-cheek. I'm not that arrogant. Really.)
  • Certifications. They are great, especially if you do not have the opportunity to expose your knowledge at conferences and in print. But, they are no substitutes for experience. I know someone who has a CISSP but zero practical experience. It doesn't make this individual a bad or useless person. But it certainly does show.
  • Viruses and worms. Yes, bad. Do something about it forgoodnessakes. Run A/V software. All security gateways should screen for them. (Firewalls, e-mail gateways, on corporate and agency networks and ISPs.) Of course, on desktop systems, too.
  • Buffer overflows. They can be checked. They can be fixed. (See here.) And technology exists (and has for years) to take away their sting. (Search for "Mandatory Access Control" in your favorite search engine.)
  • Usability versus security. Yes, indeed, you do actually have to chose. Stop talking about it as if it is going to go away. Over time, details will change, but they will always be in tension, this side of Heaven.
  • Importance of security policies. No one has ever doubted this. We still talk about it. Maybe it needs some new PR. Like a name change. (Kind of like calling "application firewalling" "deep packet inspection." But enough on that already!)
  • Log analysis and common log formats. We've been talking about this one for 15 years. Every time I teach a class and the question comes up I ask, "What are you using for log analysis and reduction?" Someone would say, "Webtrends." "And do you recommend it?" "Well, it's okay." How about if we started demanding a common log format from vendors?
  • Vulnerability analysis scanning. Yes, you should do this. But, do recognize their limitations. (See 26-BeyondVA.html.)
  • Application level firewalls. Of course. And really, it doesn't matter to me what you call it. Application-specific firewalls are great. (Like the "new" http firewalls.) For example, this SecurityFocus article describes "Deep packet inspection" and —watch out now—"next generation firewalls." You can read it yourself. But, you will find similar things discussed in firewall papers from the early 1993. (See fwtk.html and isoc.html for two examples.)
  • Intrusion Prevention. Like a firewall, this prevents intrusion (or tries to), doing more than just intrusion detection. Yes, but application gateway firewalls did this already. For that matter, all firewalls do some of this. The magic is bundling firewalling and intrusion detection. Or, as Network Associates called it in 1999, "active security." (See this article.) If they would have called it "Intrusion Prevention..." No, it would not have made a difference. You're right.
So, there you have it. Now, can we move on to new discussions?

[Comments from Paul Robertson, keeper of the firewall-wizards list, are at compuwar.net]

No comments: