Rethinking Network Security

Lisa Phipher, vice president of Core Competence, Inc., a network security consulting firm, has written an article for the February 2004 Business Communications Review entitled "Rethinking Network Security." I an quoted in it, only one of the many reasons you should check it out (:-)) here.


Microsoft adding security applications

Remember when you needed a 3rd-party disk-defragmenter for ... for what? I forget. Oh, yes. To improve disk performance. (Now-a-days, who could tell?) And then Microsoft bundled "Disk Defragmenter" and stole all of Norton's business. Remember when Microsoft stole all of Symantec's business when they provided an antivirus program (back with Windows 3.1)? And there went ZoneAlarm's business (and Symantec's and McAfee's) with XP's Internet Connection Firewall! No, having those things on Windows did not make third-party products go away. Neither will the proposed duplication of 3rd party security applications in LONGHORN (their next OS due out in 2006).

In the "Security Wire Perspectives" (an e-mail newsletter of Information Security magazine) in my mailbox today, Edmund X. DeJesus discusses this news. (See here.) He writes, "These built-in features will make it tough for administrators to decide whether to buy the extra software or simply rely on Windows alone."

I don't think so. Not for security applications. Microsoft is not lean and fast enough to address requirements of enterprise users. Home users will probably be just fine using Microsoft software. For example, even though I run XP on my desktop, I rely on a SoHo firewall and ZoneAlarm on my system. Why? As Internet Connection Firewall's help file says:
You should not enable Internet Connection Firewall (ICF) on any connection that does not directly connect to the Internet. If the firewall is enabled on the network adapter of an ICS client computer, it will interfere with some communications between that computer and all other computers on the network. For a similar reason, the Network Setup Wizard does not allow ICF to be enabled on the ICS host private connection, the connection that connects the ICS host computer with the ICS client computers, because enabling a firewall in this location would completely prohibit network communications.
Yes, well, ZoneAlarm —even the free version&mdashallows me to tune the configuration so that I can control what I share on the home (trusted) net, while still protecting to and from the Internet. And even though for years (since 3.1 or before) Windows has come with a back-up and restore program, I use a 3rd party product for reasons stated in Save your sanity -- Backup that PC!

Some of the features sound excellent... for the home user. I am not sure that enterprise users will want to trust Microsoft to do "dynamic system protection." For home users, it might be a terrific addition. But, Microsoft will not be able to keep up with the demands of corporate users.

XP supports ZIP files, but I still prefer WinZip (it allows one to specify the name of the resulting file -- built-in zip does not). Fax support from Microsoft? I use WinFax. Windows has MediaPlayer. RealPlayer is still around. IE does great stuff. You all use IE and Netscape and Opera and Mozilla/Firefox. The only area I can think of in which Microsoft killed off 3rd party applications is in TCP/IP integration.

So, should desktop security vendors be worried? Only if their primary business is retail.


E-mail Postage Due -- Eweek editorial

Ed Bride, an editor with Computerworld puts forward a dreadful idea in an eweek guest editorial. I do not know why I noticed this. I get eweek through no fault of my own; I never subscribed and cannot see how to unsubscribe. I usually just recycle it at the post office. For some reason I saw this issue and this editorial.

Bride proposes, "Suppose every addressee cost the sender, say, 1 cent. Would legitimate businesses be willing to pay this fee to increase the likelihood that recipients would read their missives? I believe the answer is yes. The ISP could collect the fee, keep a small portion for its accounting service and remit the remainder to Uncle Sam."

I have no idea why "Uncle Sam," is mentioned, but I believe the answer is "no." I don't suppose Mr. Bride is new to the Internet. Perhaps he doesn't get or send much e-mail. The problem is not, of course, with legitimate e-mail. It is not even a problem with unsolicited e-mail. It s with unsolicited commercial e-mail or junk e-mail. And whether he can imagine it or not, $.01 per e-mail message will negatively affect one of its greatest strengths.

What we have, and what I pay for with my monthly fee, is essentially the same as the "Unlimited local calling" on my phone line. This is very common in the U.S., though not so common elsewhere. For my $25 a month, I can call as many local numbers as often as I want. For my ISP's fee, I expect the same.

On the Internet, every call is a local call.

Authenticated E-mail as Anti-spam

Jon Udell caught my eye with an interesting Infoworld at article. Since I am tired of saying "We all need digital signatures, and the spam problem will lessen," I'll just let him say it.


Security Redux

Something is going on in the network security world. It seems that we keep talking about the same old stuff. Let me give you some examples.
  • Certification. Are certifications important? When and why or why not? Which ones?
  • Viruses. Email- and other-carried worms and viruses.
  • Buffer overflows and secure programming. Also, the execution of arbitrary code. (Well, not arbitrary -- code that the "attacker" wants you to execute.)
  • Usability versus security.
  • Importance of security policies.
  • Strong user authentication in lieu of reusable passwords (for goodness sake).
  • Log analysis tools (and the need for common {firewall, IDS, whatever} log formats.
  • The need for vulnerability analysis scanning.
  • Proxy versus filtering firewalls.
  • And what is this Intrusion Prevention stuff?
Are all (or most) of these things important? Sure. Is there anything new to say about them? Well... not really. Okay, maybe. Let's take a closer look.

Recently, on the firewall-wizards mailing list was a discussion with the subject "Evolution of Firewalls." (You can find the archive here/.) It was short and started innocently, but disclosed the amount of knowledge that is lost over time, and the willingness of people to press on, even without that historical knowledge. This particular thread started with comparing "Stateful Deep Inspection firewall" technology and application proxy technology, as if there was a significant difference. Marketers -- and some security experts -- talk about "deep packet inspection" and "application intelligence" as if they are new ideas. (See my column "Debunking the Firewall Hype" here.)

The March 2004 Information Security Magazine has a lead article called "Proxy vs. Packet Filter." (See this url.) It is written by IP, VPN, and now firewall expert Joel Snyder. There is also a bake-off between firewall vendors in the same issue. Joel is an excellent writer and tester (and teacher). Also an all-around nice-guy. (This isn't a problem with Joel.) But this article, and the firewall-wizards list thread, might give clues to the problem: we lack a technological memory, or the one we have is faulty.

For example, the tension was never between proxy firewalls and filtering firewalls. No one ever doubted that proxies were better than packet filters. No one doubted -- after the Morris Worm -- that static packetfiltering was insufficient. (And this is an example of this loss of history thing -- some reading this do not remember the Morris Worm.) The argument was between "Stateful Inspection" (a Check Point invention) and application proxy firewalls (a Marcus Ranum invention... and yes, yes it was). Is this "memory" important? Of course it is. No one suggests that Stateful Inspection was not a significant improvement. But it is not, the same thing as "dynamic packet filtering," the correct name for the technology that "is built into $99 SOHO devices." Like a game of telephone (if you don't know this game, look up "game of telephone" in a search engine), information is lost, but we continue the game unaware or unperturbed.

So, let's settle all these burning issues now, once and for all. (That statement is tongue-in-cheek. I'm not that arrogant. Really.)
  • Certifications. They are great, especially if you do not have the opportunity to expose your knowledge at conferences and in print. But, they are no substitutes for experience. I know someone who has a CISSP but zero practical experience. It doesn't make this individual a bad or useless person. But it certainly does show.
  • Viruses and worms. Yes, bad. Do something about it forgoodnessakes. Run A/V software. All security gateways should screen for them. (Firewalls, e-mail gateways, on corporate and agency networks and ISPs.) Of course, on desktop systems, too.
  • Buffer overflows. They can be checked. They can be fixed. (See here.) And technology exists (and has for years) to take away their sting. (Search for "Mandatory Access Control" in your favorite search engine.)
  • Usability versus security. Yes, indeed, you do actually have to chose. Stop talking about it as if it is going to go away. Over time, details will change, but they will always be in tension, this side of Heaven.
  • Importance of security policies. No one has ever doubted this. We still talk about it. Maybe it needs some new PR. Like a name change. (Kind of like calling "application firewalling" "deep packet inspection." But enough on that already!)
  • Log analysis and common log formats. We've been talking about this one for 15 years. Every time I teach a class and the question comes up I ask, "What are you using for log analysis and reduction?" Someone would say, "Webtrends." "And do you recommend it?" "Well, it's okay." How about if we started demanding a common log format from vendors?
  • Vulnerability analysis scanning. Yes, you should do this. But, do recognize their limitations. (See 26-BeyondVA.html.)
  • Application level firewalls. Of course. And really, it doesn't matter to me what you call it. Application-specific firewalls are great. (Like the "new" http firewalls.) For example, this SecurityFocus article describes "Deep packet inspection" and —watch out now—"next generation firewalls." You can read it yourself. But, you will find similar things discussed in firewall papers from the early 1993. (See fwtk.html and isoc.html for two examples.)
  • Intrusion Prevention. Like a firewall, this prevents intrusion (or tries to), doing more than just intrusion detection. Yes, but application gateway firewalls did this already. For that matter, all firewalls do some of this. The magic is bundling firewalling and intrusion detection. Or, as Network Associates called it in 1999, "active security." (See this article.) If they would have called it "Intrusion Prevention..." No, it would not have made a difference. You're right.
So, there you have it. Now, can we move on to new discussions?

[Comments from Paul Robertson, keeper of the firewall-wizards list, are at compuwar.net]


Significant Security Answers

There are some general answers that are verys significant if asked in a security context. In no special order:
  • I don't know.
  • I'm not sure.
  • I am absolutely sure.
  • That can never happen.
  • It depends.
Can you think of others? I am collecting submissions. See SigAns.txt