Re: Thoughts on Jericho Forum

[Bruce Curtis <bruce.curtis () NDSU EDU>]

On Jun 14, 2007, at 2:11 PM, Karen Duncanson wrote:

> Steve's response is very good. To add to that, consider that the
> most economical security is prevention; in terms of time and
> dollars. If we can get the low hanging fruit with perimeter
> security then we will spend much less time chasing the things that
> get inside. We will be better able to identify and deal with
> nefarious activity that gets past the perimeter if we siphon off
> everything we can at the perimeter with good perimeter security
> practices. Host based prevention is very effective. It can be very
> costly in terms of dollars and administration time. It is most
> important for sensitive servers. We need Host based prevention. We
> also need to employ best practices at the perimeter. We need
> defense in depth.


  I think that one of the concepts from the Jericho forum and
elsewhere is that the perimeter is gone.  In the days when firewalls
first appeared in banks, to protect a network of Windows 3.1 machines
that could barely squeeze a TCP/IP stack in 640K and that machine was
only used to run two applications that only talked to the banks
mainframe, in those days a network firewall had some usefulness.
Nowadays every laptop has more processing power than the firewall
that originally protected the bank and therefore has the power to
protect itself.  In the old days we didn't have thousands of
computers leaving campus and then coming back the next day, we didn't
have everyone reading email and instant messages etc (multiple
avenues of attack).

  I agree that prevention is economical, that is why I prefer a host
based IPS that can prevent more problems than a firewall on the border.

  We can repeat the defense in depth mantra all we want, but a good
security warrior puts their resources in "defensible positions".
Cities no longer have walls because in the modern world we have tanks
and airplanes.  I think a modern network should have good host
defenses, and a good local police department to snuff out infected
machines quickly.



> ---- Original message ----
> > Date: Thu, 14 Jun 2007 08:33:44 -0600
> > From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
> > Subject: Re: [SECURITY] Thoughts on Jericho Forum
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> >
> > Endpoint security is a great idea. Deployed as part of a strategy
> > of defense in depth, client-based security measures strengthen the
> > entire system.
> >
> > But I would caution about going too far down this path too
> > quickly. Relying solely on one tactic opens you to vulnerability
> > when that tactic proves insufficient. I'd compare it to the
> > realization that a safe in your bedroom is a lot harder for a
> > thief to defeat than the lock on your front door. Does that mean
> > that, once you purchase a safe, you no longer lock your front door
> > at night? I don't think so; perhaps it DOES mean you don't have to
> > buy a much more expensive alarm/deadbolt system for your front door.
> >
> > Microsoft has been touting this approach of hardened endpoints,
> > ubiquitous authentication of traffic, encryption where required,
> > and intelligence on the client. But Microsoft sells computers, so
> > it makes sense for them to focus on that aspect of security. And
> > that works great when all of your clients are Microsoft machines
> > and are under enough of your control to have the relevant policies
> > and agents installed.
> >
> > Lacking that kind of standardization and control, it makes sense
> > to also have some sort of network-based protection. Whether that's
> > NAC or departmental and border firewalls or network IDS or a mix
> > of all these, depends on your environment.
> >
> > I love that Jericho and other folks are talking about these
> > concepts, and in a small, controlled environment their suggestions
> > would probably work great. I'll keep watching them...
> >
> > Steve
> >
> >
> >
> >
> > ==============================================
> > Steven Lovaas, MSIA, CISSP
> > Network Security Manager
> > Academic Computing & Network Services
> > Colorado State University
> > 970-297-3707
> > Steven.Lovaas () ColoState EDU
> > ============================================
> > -----Original Message-----
> > From: Bruce Curtis [mailto:bruce.curtis () NDSU EDU]
> > Sent: Wednesday, June 13, 2007 4:55 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Thoughts on Jericho Forum
> >
> > On Jun 13, 2007, at 5:15 PM, David Morton wrote:
> >
> > > Lately we've been engaged in some conversation about the Jericho
> > > Forum
> > > and their thoughts on security.
> > >
> > >
> > >
> > > Key issues such as the ineffectiveness of traditional perimeter
> > > defenses and encryption have rang true for a long time.
> > >
> > > Have the principals of the Jericho Forum been discussed at your
> > > organizations and if so, what has come out of those thoughts and
> > > discussions?
> > >
> > > David
> >
> >
> >   Yes, we agree about a lot of things with the Jericho Forum.  We
> > have no perimeter firewall and our video sessions work great, and
> > our multicast and IPv6 connectivity works great also.
> >
> >   We have a couple of departments that are using Native Transport
> > IPsec and it has been working well so far.  Which isn't a big
> > surprise since Microsoft has been using it for 200,000 plus
> > computers for quite a while.
> >
> >   http://www.microsoft.com/casestudies/casestudy.aspx?
> > casestudyid=49636
> >
> >
> >   http://www.microsoft.com/casestudies/casestudy.aspx?
> > casestudyid=49593
> >
> >
> >   http://www.microsoft.com/technet/itshowcase/content/
> > ipsecdomisolwp.mspx
> >
> >
> >   We haven't done it here yet but a University 60 miles away has
> > installed a host IPS on all of their computers.  To me that is a
> > much more efficient use of security dollars than spending money on
> > a device at the perimeter.  At least one of the Host IPS packages
> > that I have kept an eye on has protected from every Microsoft
> > vulnerability due to buffer overflow since I started looking at
> > the issue.  And that is protection before the vulnerability was
> > found, reported, announced and finally patched.
> >
> >   In our environment we have thousands of laptops that leave
> > campus every day, go who knows where, and then come back.  Even if
> > we had a firewall  only one click on any single host on the
> > network can lead to that host being compromised and then it could
> > scan the entire internal network.
> >
> >
> >
> >  ---
> > Bruce Curtis                         bruce.curtis () ndsu edu
> > Certified NetAnalyst II                701-231-8527
> > North Dakota State University
> Karen Duncanson, CISSP, CCNA
> UTS/Network Security Analyst
> www.oakland.edu/uts
> 248-370-2675


---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University