Tuesday, February 22, 2005

The Jericho Forum

You may have read of The Jericho Forum in the latest SC Magazine. The Jericho Forum describes itself as "an international forum of IT customer and vendor organisations dedicated to the development of open standards to enable secure, boundaryless information flows across organisations." I read stories on them as early as March 2004, two months after they formed. The group appears to be built from representatives of European companies.

They are attracting attention for their "de-perimeterisation" and "open network" ideas, which their "Visioning White Paper" define as follows:

"de-perimeterisation: the act of applying organisational and technical design changes to enable collaboration and commerce beyond the constraints of existing perimeters, through cross-organisational processes, services, security standards and assurance"

"open network: a network freely accessible at low or no cost to arbitrary communicationg parties, such as but not limited to the public global Internet, with few or no inbuilt information security controls protecting the use of that network (although the network infrastructure itself will typically have some protection in order to support the provision of a service of useful quality)"

If you'd like to read more wordy explanations, I recommend diving in to the 39-page "Visioning White Paper." It offers some of the most painful English I've seen. I think it could have been reduced to 1/4 of its present size.

Sorting through the text, we see The Jericho Group intends to push de-perimeterisation as a means to achive open networks. They cite "increasing on-line collaboration and trading among multiple business entities," "outsourcing and offshoring of support services," and "use of low cost open networks" as reasons to pursue de-perimeterisation. They believe "existing security approaches are a barrier to change because they assume... an organizatrion owns, controls, and is accountable for the ITC [information and communications technology] it employs... and all individuals sit within organisations." I do not disagree with either point.

As for the group's focus, we read "Jericho Forum will therefore primarily focus on information flows that span organisations and individuals and how to secure and manage these across open networks. The focus will be on business to business (B2B) and business to government (B@G) flows, but not exclusively."

The Jericho Group cites the following as evidence of the need for de-perimeterisation. "For complex networks, protocols, and application access requirements involving customers, business partners or suppliers, firewall complexity and cost of operation will rise... Many communication protocols now run within the web (HTTP) protocol to allow 'tunneling'; indeed arbitrary tunnelling is possible rendering 'layered' communications architectures meaningless... De-perimeterisation involves re-appraising where security controls are positioned, re-balancing cost and complexity. This may involve moving security controls from firewalls or proxies to internal end systems or applications, or if the confidentiality or integrity of data is paramount, to move controls from the systems and data repositories that hold data at rest to the data itself (i.e. using cryptographic techniques."

Leaving clunky language aside, let's consider their argument. Although I do not see this mentioned in the group's paper, I would agree that individual hosts should be able to defend themselves. This has historically been a problem for operating systems not designed to survive the public Internet. I endorse making individual hosts and their applications more independent and reliable.

However, no organization that has spent hundreds of thousands of dollars on firewalls and other perimeter security devices is going to abandon them. Despite the starry-eyed cries of IPv6 developers who long for the days of unfettered end-to-end connectivity, most hosts on the Internet will continue to be separated by a wide variety of "middleboxes."

Anywhere that organizational access controls can be deployed, they should be deployed. When security rests entirely with the end host, the compromise of that end host means complete loss of control for the responsible enterprise. If a "de-perimeterised" company suffers a worm outbreak, and it has abandoned its perimeter access controls and segmented subnets, what will stop the worm from spreading? If that same organization is subjected to a denial of service attack, how will victim hosts on a "de-perimeterised" network defend themselves?

A principle of security that will not disappear is defense-in-depth. Hosts should be made to be self-reliant and survivable, and function within perimeters, however porous various technologies may seem to make them.

Other stories on the Jericho Forum can be found here, here, here, and here. Those needing a Biblical refresher to appreciate the significance of the name "Jericho" might find this link useful.

1 comment:

Anonymous said...

Interesting post on the Jericho Group. Sometimes I get the feeling that some people force wordy language into subjects and sentences that simply don't need it...maybe in some need to sound smarter.

Anyway, I don't think deperimeterization will happen any time soon. Right now it is far too convenient to put some security/controls on devices that have to perform NAT or other choke-functions...something we have to do because of limited IP addresses. Even given multiple IP addresses, I don't think a majority of techs or business owners will feel all that safe just letting loose individual hosts (albeit hardened hosts) out into the virtual world. There will still be audits, and security standards, and organizations that insist on having some separation from the unforgiving wilds...even in the face of amazingly protected individual hosts.

Their ideal is interesting to ponder, but I don't think I would lend any weight to the argument for a number of years to come, at best.

Historically, defense in depth has lived quite a life, especially when seen in the eyes of war. I'm not even going to bother to wade into that particular analogy, but to me, an open network subjected to de-perimeterization is a flower-child- like ideal...something achievable only in limited situations and only if there is some real semblance of large-scale peace in the virtual world. I don't think this idea is very realistic when taken strictly, nor do I think it is scalable to any significant measure.

Maybe it should be limited to "that which happens when mergers and acquisitions occur that thrust wholly isolated and separate networks into one large conglomerate with a need to open the flood gates of information and communication between once separate entities."
-LonerVamp