A few caveats: I don't have an absolute time factor for these, and I'm not considering these my "predictions for 2009." This is not an endorsement of the Jericho Forum. I think it makes sense to plan for the environment I will describe next because it will be financially attractive, but not necessarily universally security-enhancing (or even smart).
- Virtual Private Network (VPN) connections will disappear. For many readers this is nothing groundbreaking, but bring up the possibility with a networking team and they stare in bewilderment. Is there any reason why a remote system needs to have a simulated connection, using all available protocols, to a corporate network? Some of you might limit the type of connection to certain protocols, but why not just expose those protocols directly to the outside world and avoid the VPN altogether?
- Intranets will disappear. This is the next step when you architect for situations where VPNs are no longer needed. What's the purpose of an Intranet if you expose all the corporate applications to the outside world? The Intranet essentially becomes a giant local ISP. That seems ripe for outsourcing. How many of you sit in a company office connected to someone else's network, perhaps using 3G, but still check your email or browse the Web? It's happening now.
- Every device might be able to talk to every other device. This restores the dream of "end-to-end connectivity" destroyed by NAT, firewalls, and other "middleboxes." IPv6 seems to be making some ground, at least in mindshare in the Western world and definitely on the ground in the Far East. "End-to-end" is a core idea of IPv6, but scares me. Isolation is one of the few defensive measures that works in many intrusion scenarios.
- Preferably, only authorized applications will talk to other authorized applications. This is one way to deal with the previous point. It's more complicated to implement, but will make me sleep better. I would like the ability to configure how my endpoint talks to the world, and how the world talks to it. For me, I would like to completely disable functionality, and abandon any kind of network-based filtering or blocking mechanism. It is a travesty that I have to use some aspects of Microsoft SMB for business functions, but generally allow any SMB traffic if I'm not willing to run a host-based layer 7 firewall (aka "IPS").
- Every device must protect itself. This one really pains me, and I think it's the greatest risk. This one is going to happen no matter how much protests security people make. Again, it's already happening. Mobile devices are increasingly exposed to each other, with the owners completely at the mercy of the service provider. For me, this is an operational reality for which we must build in visibility and failure planning. We can't just assume everything will be ok, because prevention eventually fails. I'll say more on that later.
- Devices will often have to report their own status, but preferably to a central location. Again, scary. It means that if an endpoint is exploited, the best you're likely to get from it is a last log event gasp as it reports something odd. After that a skilled intruder will make the endpoint appear as if nothing is wrong. At least if centralized logging is a core component you'll have that log as an indicator. However, past that point the endpoint cannot be trusted to report its state. This is happening more and more as mobile devices move from monitored connections (say a company network) to open ones (like wireless providers or personal broadband links).
- As fast, high-bandwidth wireless becomes ubiquitous, smart organizations will design platforms to rely on centralized remote storage and protection of critical data. For certain types of data, we have to hope that our varied mobile devices act as little more than terminals to cloud-hosted, well-mannered information stores. The more data we keep centrally, the less persistent it needs to be on end devices, and therefore the less exposed it can be. Central data is easier to deduplicate, back up, archive, classify, inventory, e-discover, retain, destroy, and manage.
I called this post "don't fight the future" because I think these developments will transpire. The model they represent is financially more attractive to people who don't put security first, which is every decision maker I've met. This isn't necessarily a bad thing, but it does mean we security practitioners should be making plans for this new world.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.