Friday, November 21, 2008

Don't Fight the Future

Digital security practitioners should fight today's battles while preparing for the future. I don't know what that future looks like, and neither does anyone else. However, I'd like to capture a few thoughts here. This is a mix of what I think will happen, plus what I would like to see happen. If I'm lucky (or good) the future will reflect these factors, for which I am planning.

A few caveats: I don't have an absolute time factor for these, and I'm not considering these my "predictions for 2009." This is not an endorsement of the Jericho Forum. I think it makes sense to plan for the environment I will describe next because it will be financially attractive, but not necessarily universally security-enhancing (or even smart).

  1. Virtual Private Network (VPN) connections will disappear. For many readers this is nothing groundbreaking, but bring up the possibility with a networking team and they stare in bewilderment. Is there any reason why a remote system needs to have a simulated connection, using all available protocols, to a corporate network? Some of you might limit the type of connection to certain protocols, but why not just expose those protocols directly to the outside world and avoid the VPN altogether?

  2. Intranets will disappear. This is the next step when you architect for situations where VPNs are no longer needed. What's the purpose of an Intranet if you expose all the corporate applications to the outside world? The Intranet essentially becomes a giant local ISP. That seems ripe for outsourcing. How many of you sit in a company office connected to someone else's network, perhaps using 3G, but still check your email or browse the Web? It's happening now.

  3. Every device might be able to talk to every other device. This restores the dream of "end-to-end connectivity" destroyed by NAT, firewalls, and other "middleboxes." IPv6 seems to be making some ground, at least in mindshare in the Western world and definitely on the ground in the Far East. "End-to-end" is a core idea of IPv6, but scares me. Isolation is one of the few defensive measures that works in many intrusion scenarios.

  4. Preferably, only authorized applications will talk to other authorized applications. This is one way to deal with the previous point. It's more complicated to implement, but will make me sleep better. I would like the ability to configure how my endpoint talks to the world, and how the world talks to it. For me, I would like to completely disable functionality, and abandon any kind of network-based filtering or blocking mechanism. It is a travesty that I have to use some aspects of Microsoft SMB for business functions, but generally allow any SMB traffic if I'm not willing to run a host-based layer 7 firewall (aka "IPS").

  5. Every device must protect itself. This one really pains me, and I think it's the greatest risk. This one is going to happen no matter how much protests security people make. Again, it's already happening. Mobile devices are increasingly exposed to each other, with the owners completely at the mercy of the service provider. For me, this is an operational reality for which we must build in visibility and failure planning. We can't just assume everything will be ok, because prevention eventually fails. I'll say more on that later.

  6. Devices will often have to report their own status, but preferably to a central location. Again, scary. It means that if an endpoint is exploited, the best you're likely to get from it is a last log event gasp as it reports something odd. After that a skilled intruder will make the endpoint appear as if nothing is wrong. At least if centralized logging is a core component you'll have that log as an indicator. However, past that point the endpoint cannot be trusted to report its state. This is happening more and more as mobile devices move from monitored connections (say a company network) to open ones (like wireless providers or personal broadband links).

  7. As fast, high-bandwidth wireless becomes ubiquitous, smart organizations will design platforms to rely on centralized remote storage and protection of critical data. For certain types of data, we have to hope that our varied mobile devices act as little more than terminals to cloud-hosted, well-mannered information stores. The more data we keep centrally, the less persistent it needs to be on end devices, and therefore the less exposed it can be. Central data is easier to deduplicate, back up, archive, classify, inventory, e-discover, retain, destroy, and manage.


I called this post "don't fight the future" because I think these developments will transpire. The model they represent is financially more attractive to people who don't put security first, which is every decision maker I've met. This isn't necessarily a bad thing, but it does mean we security practitioners should be making plans for this new world.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

5 comments:

Sid said...

End-to-end connectivity might be just a mean to build secure overlay networks. That's the idea behind Mobile IPv6 for instance, and merely an other way of thinking your "perimeter". Because deperimeterization is nothing more than switching from a physical perimeter to a logical one.

Just 0,02EUR, and not an endorsement of the Jericho Forum either ;)

yoshi said...

1. "VPNs" aren't going anywhere. They are evolving. IPSec is going away (and none too soon in my book) and being replaced with SSL vpns or similar approaches.

2. E-mail is not the only application out there. You are missing expenses, supply chain, time management, accounting, e-learning, news, and the few thousand other applications that people use to do their jobs. Even though my organization outsources HR and time management - I still have to log into the VPN to gain access to other applications.

3. False. Companies are segmenting their networks into risk categories not the reverse. (heck I am doing a job for a major organization right now around this)

4. True sort of. Companies are determining what applications have different risks profiles. A well design app with low risk will be able to do more within the organization that a higher risk application. And incentives are being offered to business groups to design 'secure' apps and follow policy.

5. Agree

6. Been advocating this for as long as I've been in this business but organizations are notoriously bad at implementing it.

7. Most organizations are already doing this.

Matt said...

1-3 just won't happen. Security policies won't allow it. There's absolutely no reason that the internet should be able to know the addressing scheme on my internal, private, secured network. In a security environment where leaking an internal path in the webserver is considered a bad thing, allowing the whole world to know your internal structure is unimaginable. And as Yoshi said, VPNs aren't going anywhere.

#5 is ridiculous. It's architecturally a step backwards. Managing individual devices in a world where every lightbulb has it's own IP is...counterintuitive at best.

6-7 are in the process of happening now. I'm seeing more status agents for reporting back to the centralized monitoring server, and bandwidth is never decreasing.

Anonymous said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.