Re: Thoughts on Jericho Forum

[Bruce Curtis <bruce.curtis () NDSU EDU>]

On Jun 14, 2007, at 2:09 PM, Lovaas,Steven wrote:

> Thanks, Deke, for illuminating some of the unstated assumptions
> that are always present in analogies. You're right that the
> strength of the analogy depends on where you put the border.
>
> The reason I chose the front door, other than familiarity, is that
> I have good reason to feel justified in controlling everything that
> happens inside my house (cats aside). The city limits, on the other
> hand, represent a different balance of control, usage, and risk.
> The farther out you put a broad-based filtering mechanism (think:
> the wall between Texas and Mexico), the less likely it is to be the
> most effective solution. On the other hand, the closer you place
> protective mechanisms (the bedroom safe), the more of them you
> require ($$) and the more likely you are to miss some.

  Deke responded with the same thoughts that I had when I first read
your posting.  The streets are like the network and houses are more
like PCs, nowadays almost no cities have walls and gates (for good
reasons) but everyone does have locks on their front door.  To take
the example further we even have portable items we call "cars" that
are mobile and move around the city or even outside the city and
these cars are often left unattended in basically a field but the
cars have locks on them.  (Cars are kind of like laptops.)

> You might argue that my analogy works better for supporting
> departmental firewalls rather than a border one. I think you'd be
> right. We have a border firewall, but I don't view it as more than
> a "public health" sort of measure, and I don't make server admins
> write a novel when they want a hole poked for a real application.
> The bulk of the protection of the truly important parts of our
> network lies in a combination of host-based security and
> departmental network control.

  A departmental firewall would be more like a "gated" neighborhood,
which there are a few of but which I think are the minority rather
than the majority of neighborhoods.

  In "Firewalls and Internet Security" the authors recommend that
you never have more than 40 computers behind a firewall.  I think
that if we were to try to get to that point it would be less
expensive to have host based firewalls that are managed centrally
(which several vendors offer).

  But even departmental firewalls don't protect against the neighbor
in the next cubicle clicking on the wrong link and then scanning my
machine, however a host based firewall can prevent against that scan
and a host based IPS can provide protection against the vulnerability
exploited by clicking on the wrong link even before the vulnerability
was announced.

> Good insights...
>
> And just for the record, I'd love to work in an organization that
> could run itself according to the Jericho ideas. It would free me
> to do some more interesting work on the real security threats
> inside: the people.
>
> Steve


> ==============================================
> Steven Lovaas, MSIA, CISSP
> Network Security Manager
> Academic Computing & Network Services
> Colorado State University
> 970-297-3707
> Steven.Lovaas () ColoState EDU
> ============================================
> -----Original Message-----
> From: Deke Kassabian [mailto:deke () ISC UPENN EDU]
> Sent: Thursday, June 14, 2007 11:58 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Thoughts on Jericho Forum
>
> --On Thursday, June 14, 2007 8:33 AM -0600 "Lovaas,Steven"
> <Steven.Lovaas () COLOSTATE EDU> wrote:
> > Endpoint security is a great idea. Deployed as part of a strategy of
> > defense in depth, client-based security measures strengthen the
> > entire
> > system.
>
> I'm generally a fan of Defense in Depth, too.  But that doesn't
> necessarily mean that I'm a fan of perimeter firewalls.  I am,
> though, a fan of adding detection and light filtering to networks
> layered into excellent endpoint security.
>
> > But I would caution about going too far down this path too quickly.
> > Relying solely on one tactic opens you to vulnerability when that
> > tactic proves insufficient. I'd compare it to the realization that a
> > safe in your bedroom is a lot harder for a thief to defeat than the
> > lock on your front door. Does that mean that, once you purchase a
> > safe, you no longer lock your front door at night? I don't think so;
> > perhaps it DOES mean you don't have to buy a much more expensive
> > alarm/deadbolt system for your front door.
>
> Analogies can be useful.  They can also sometimes mislead.
>
> What if we move bedroom -> front door, and front-door -> city limits.
>
> Now it reads:
> Does that mean that, once you purchase a front door lock, you no
> longer lock the gate at the city limits at night?
>
> Does this change how the analogy makes us think about perimeters?
>
> ^Deke
>
>
> > Microsoft has been touting this approach of hardened endpoints,
> > ubiquitous authentication of traffic, encryption where required, and
> > intelligence on the client. But Microsoft sells computers, so it
> > makes
> > sense for them to focus on that aspect of security. And that works
> > great when all of your clients are Microsoft machines and are under
> > enough of your control to have the relevant policies and agents
> > installed.
> >
> > Lacking that kind of standardization and control, it makes sense to
> > also have some sort of network-based protection. Whether that's
> > NAC or
> > departmental and border firewalls or network IDS or a mix of all
> > these, depends on your environment.
> >
> > I love that Jericho and other folks are talking about these concepts,
> > and in a small, controlled environment their suggestions would
> > probably work great. I'll keep watching them...
> >
> > Steve
> >
> >
> >
> >
> > ==============================================
> > Steven Lovaas, MSIA, CISSP
> > Network Security Manager
> > Academic Computing & Network Services
> > Colorado State University
> > 970-297-3707
> > Steven.Lovaas () ColoState EDU
> > ============================================
> > -----Original Message-----
> > From: Bruce Curtis [mailto:bruce.curtis () NDSU EDU]
> > Sent: Wednesday, June 13, 2007 4:55 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Thoughts on Jericho Forum
> >
> > On Jun 13, 2007, at 5:15 PM, David Morton wrote:
> >
> > > Lately we've been engaged in some conversation about the Jericho
> > > Forum and their thoughts on security.
> > >
> > >
> > >
> > > Key issues such as the ineffectiveness of traditional perimeter
> > > defenses and encryption have rang true for a long time.
> > >
> > > Have the principals of the Jericho Forum been discussed at your
> > > organizations and if so, what has come out of those thoughts and
> > > discussions?
> > >
> > > David
> >
> >
> >    Yes, we agree about a lot of things with the Jericho Forum.  We
> > have no perimeter firewall and our video sessions work great, and our
> > multicast and IPv6 connectivity works great also.
> >
> >    We have a couple of departments that are using Native Transport
> > IPsec and it has been working well so far.  Which isn't a big
> > surprise
> > since Microsoft has been using it for 200,000 plus computers for
> > quite
> > a while.
> >
> >
> > http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49636
> >
> >
> >
> > http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49593
> >
> >
> >    http://www.microsoft.com/technet/itshowcase/content/
> > ipsecdomisolwp.mspx
> >
> >
> >    We haven't done it here yet but a University 60 miles away has
> > installed a host IPS on all of their computers.  To me that is a much
> > more efficient use of security dollars than spending money on a
> > device
> > at the perimeter.  At least one of the Host IPS packages that I have
> > kept an eye on has protected from every Microsoft vulnerability
> > due to
> > buffer overflow since I started looking at the issue.  And that is
> > protection before the vulnerability was found, reported, announced
> > and
> > finally patched.
> >
> >    In our environment we have thousands of laptops that leave campus
> > every day, go who knows where, and then come back.  Even if we had a
> > firewall  only one click on any single host on the network can
> > lead to
> > that host being compromised and then it could scan the entire
> > internal
> > network.
> >
> >
> >
> >   ---
> > Bruce Curtis                         bruce.curtis () ndsu edu
> > Certified NetAnalyst II                701-231-8527
> > North Dakota State University
>
>
>
> -------
> Deke Kassabian,  Senior Technology Director Information Systems and
> Computing, University of Pennsylvania


---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University