Yes, the castle-and-moat model has lots of shortcomings, but the concept of "deperimeterization" is a long, long way off
By Simson Garfinkel
The old network security model—perimeter defense—was a lot like the
old physical security model: Put your assets in a secure location,
build a wall and use a gate to control who goes in and out. Many today
say the perimeter model is obsolete; some even say the perimeter should
be removed altogether. While today it's critical to understand the
shortcomings of the castle-and-moat model, CSOs should be a long way
from tossing their firewalls altogether.
The perimeter defense approach worked pretty well for the walled
cities of the ancient world, and it worked pretty well for computer
networks in the 1990s. In many ways, the approach is fundamentally
sound. It makes more sense to stop attackers with hardened outer
defenses than to let them come inside and fight your most vulnerable
citizens with hand-to-hand combat. No one would dream of arming an
office clerk with an antitank gun; it's the job of the soldiers on the
front lines to keep tanks away from the file clerks!
Of course, no perimeter defense is perfect. The Trojans learned this
fact the hard way a little more than 3,000 years ago, when they brought
that giant wooden horse filled with Greek soldiers inside their
perimeter wall. Once the bad guys are inside the gate, the wall becomes
irrelevant. Security consultants have been warning organizations for
years about the danger of underestimating the insider threat. They
argue that concentrating on perimeter defenses invariably tempts an
organization into relaxing its internal defenses. For example,
organizations are understandably hesitant to patch and upgrade the
computers inside their networks when they are spending all that money
on a firewall. But external threats have a way of sneaking past even
the best perimeter defense—either because an executive plugs an
infected laptop into an internal network or because a rogue 802.11
access point lets outsiders come wirelessly through your walls and plug
in.
Even if perimeters were perfect, the perimeter approach assumes that
assets stay put inside the perimeter's protective ring. This assumption
is no longer true in today's world of laptops, Web portals, memory
sticks and BlackBerrys. High-quality information is constantly crossing
every organization's physical and electronic perimeters. Relying solely
on perimeter defenses is like buying a home alarm system to protect
your children from kidnapping, then allowing them to ride alone to
school on the New York City subway.
Perimeters today have gotten
such a bad name that some consultants and journalists are heralding
"the end of the perimeter." CSO, for example, wrote about this concept
early last year (see "The World Is Your Perimeter" )
The Battle of Jericho
One user organization, the Jericho Forum, is taking this idea a step
further, with a process that the forum calls "deperimeterization." The
basic idea of deperimeterization is that organizations should face the
fact that the perimeter is dead and develop a fundamentally new
security model based on mutual authentication and strong cryptography.
The Jericho Forum (whose members include big companies such as
Barclays, Boeing, HSBC and Rolls-Royce) argues that the way to achieve
this future is through careful design of a new security infrastructure
that guarantees interoperability and openness. Jericho is calling for
companies to bring down their outside walls and rely on defenses built
into hosts, applications and the data itself.
Deperimeterization certainly seems sensible in a company such as
Boeing; a perimeter-oriented defense makes little sense when you have
more than 150,000 employees inside the firewall. Sure, you can have a
firewall within the firewall to protect the really good stuff—to
segregate the accounting department from the machinists, for
example—but where does one stop? Jericho's argument is that it makes
sense to build firewalls as small as possible—for example, one firewall
for each computer.
This vision of a network is, in fact, the environment that I enjoyed
at MIT, an enterprise that has tens of thousands of computers
interoperating securely without a general perimeter defense. At MIT the
network is assumed to be inherently hostile. The result is that the
systems there are
battle-hardened against all attackers, internal
and external. (Instead of making users reauthenticate every time they
log in to a different service, the MIT network uses Kerberos as a
single sign-on system; workstation users have to reauthenticate only
once every 10 hours.)
But aside from its catchy name and its big goals, does
deperimeterization make sense from either a security or financial or
even a historical point of view?
Yes, for all their benefits, good perimeter defenses are
psychologically dangerous. They lull organizations into a false sense
of security. But according to the 2005 "CSI/FBI Computer Crime and
Security Survey," attacks by insiders accounted for less than 7 percent
of the respondents' dollar losses to computer crime. What's more, the
survey's authors write, "the data do suggest that respondents detect
events perpetrated by insiders about as often as by outsiders, casting
some doubt on the claims one often reads that the vast majority of
crimes are committed by insiders."
In other words, even though
strong perimeter defenses might cause organizations to lower their
vigilance inside their walls, on the whole a perimeter seems to do
significantly more good than bad. What today's organizations really
need is a way to evaluate the effectiveness of their perimeter defenses
so they can make rational decisions about where else—in addition to
their perimeter—they ought to be spending their security dollars. The
big holes in today's perimeters come from business decisions: When two
companies form a partnership, one of the first things they do is open
holes in their respective firewalls so that their corporate systems can
interact more closely. These holes can outlast not only the original
partnership but frequently the companies as well! After a corporate
acquisition or two, hardly anybody knows which holes in the firewall
are the ghosts of long-dead relationships and which are still essential
because of ongoing business ventures. The same is often true of active
VPN circuits and even dedicated leased lines. People just keep paying
the bills, for fear that tearing down a connection might break
something important. One company that's managed to profit from this
confusion is network mapper Lumeta, which has developed a powerful
system that experimentally determines the connectivity between and
within enterprise networks. Lumeta's maps frequently turn up hidden
pathways between supposedly well-guarded enterprise networks and the
rest of the Internet.
Perimeter Practicals
The fundamental problem with the Jericho Forum's deperimeterization
vision is that it ignores the security doctrine of defense in depth.
Even if all your hosts can withstand attacks from the open Internet,
there are still advantages to adding the extra layer of defense that
comes from a firewall. For example, when a new attack is discovered,
it's invariably faster to block the attack with a new rule on the
firewall than to program every computer to update itself. Indeed, I
don't see how any self-respecting CSO could decommission a firewall
once one was installed. What if an attack comes through that could have
been stopped by the firewall?
Another problem with Jericho's vision is the whole idea of
developing a new security architecture rather than making incremental
modifications to the one that's currently deployed. The Internet was
successful because it could be incrementally deployed. Instead,
Jericho's vision will probably come to pass partly through companies
adopting application-level VPNs that use SSL to bridge connections over
a hostile Internet. Each time a business partner needs to use a remote
service, one application will open an SSL connection to the remote
server and check the certificate. A very simple version—one company
setting up an SSL-enabled website for another company's employees to
use—exists today.
Digital rights management (DRM) is another technology that will
help bring about Jericho's vision. DRM systems encrypt the contents of
sensitive documents so that they can be deciphered only by authorized
individuals. There are many players in this space, including Microsoft,
Liquid Machines and even Adobe. DRM systems can reduce our dependence
on firewalls because they lower the potential damage that can be caused
when a firewall fails.
Still, I'd rather have a firewall in place around a company than put
bad-guy hackers on my internal LAN and rely solely on the effectiveness
of SSL-protected application-level VPNs or DRM. Yes, Joshua blew his
horn and the walls of Jericho came tumbling down—after which the
invasion force killed every man, woman and child inside the city.
Internal defenses are a great idea—but so are nice healthy walls around
your perimeter.
Simson Garfinkel, PhD, CISSP, is spending the
year at Harvard University researching computer forensics and human
thought. He can be reached at machineshop@cxo.com.
Most Recent Responses:
In reading Mr Simmons comment I would ask him and the Jericho group to
take a look at the large higher educational institutions that have no
perimeter firewall and live in the world of "openess". These are the
institutions targeted by many as testing grounds for new exploits, root
kits, worms etc because they have large bandwidth and no perimeter
defense. As a security administrator or network administrator in these
environments you are constantly having to be on top of security patches
without ever really being able to test them because you are sitting on
the public Internet. Where the private sector is saying that perimeter
defenses are dead I would encourage these group to speak with the
institutions that have the constant daily battle of keeping up with the
security patches because they have no perimeter defense to at least
give them some breathing room to ensure the consistency of the patches
or are wasting desktop and server resources because the systems are
constantly getting bombarded with "junk" traffic. Where I was
previously employed we had departments depending on the endpoint
firewall and when the vulnerability and exploit (we wont name the
desktop firewall software) was released the entire infrastructure was
compromised and valuable data was lost; this was a direct result of
having the "openess" and no perimeter defenses. If we have issues now I
cant imagine what we are going to see in the future where companies
take down the perimeter or bring them up without it. I am a believer in
the onion approach with multiple layers protecting the infrastructure.
I have been reading the perimeter is dead for some time now and unless
you have been in an environment where there is no perimeter I dont know
if you can really speak to it in practical terms.
Jason Rahl
Network Analyst
Email
Print
The issue here is defense in depth.
Certainly it makes no sense as the article suggest to install a state
of the art home intrusion system but put your child on the subway
alone. It also makes to sense to surround your child with body guards
but leave the front door open for someone to plant an explosive device.
Khurt Williams
Senior Advisor
Email
Print
Esteemed colleagues,
I think the issue is perception. IT for many years was symbolism over
substance. I think a truly comprehensive analysis (BIA, Baseline) of
your independent environment will consistently yield the best results,
germane to your organization. Security is best described when comparing
it to a well rehearsed orchestra. If all of the instruments and
musicians are carefully tuned and working different lines of the
composition, beautiful music will prevail. However, if one person or
instrument breaks down it creates chaos and the crowd’s perception
changes and focuses on the miscue. It’s not a question of Re-iventing
the wheel, it’s a question of making a better and more adaptable wheel.Supplemental
to the aforementioned, I agree with the gentleman who feels we are all
responsible for security and its adaptations at some level. I think
it’s safe to say that technology changes it face on a daily bases just
like a fugitive on the run. IT Professionals must overcome and adapt
carefully, planning tactically as well as strategically.
Freddie Manint
CIO
Gov/Justice
Email
Print
If,
at the end of the day, you have humans at the end of the system, you
need to design for them. How they do their work and how they will use
it. If you get frustrated that they won't behave professionally, then
the problem is with you -- not the people.The
inventor of the Japanese subway tickets system had the same problem
(regarding users not being precise enough, sometimes the tickets would
go sideways, etc). People were sick and tired of having the machines
eat their tickets just because they weren't in the correct position.
He
was so pressured that he almost gave up, so to clear his mind, he took
a walk in the park. When he was on a wooden bridge over a small river,
he saw a leaf floating on the river moving against a rock. The leaf was
perpendicular to the river flow, but then it collided with a small
rock, that made it turn parallel with the flow.
Based
on this idea, he implemented a small device consisting of a round piece
of metal that would rotate the tickets to the correct order, so they
would pass the magnetic scan. Currently this magnetic ticket system is
implemented in many countries, including the Mexican subway which is
over 25 years old now.
So,
in the end, it all comes to this: A securely-designed system will pass
(block) even the worst conditions. This is the space the Jericho Forum
is working in to influence the Info Sec community to work securely.
Anonymous
Print
The danger is always greatest from within...
Anonymous
Print
Index of all responses to this column to date.
