Re: Thoughts on Jericho Forum

[Jordan Wiens <numatrix () UFL EDU>]

On Jun 14, 2007, at 3:43 PM, Bruce Curtis wrote:

> On Jun 14, 2007, at 2:11 PM, Karen Duncanson wrote:
>
> > Steve's response is very good. To add to that, consider that the
> > most economical security is prevention; in terms of time and
> > dollars. If we can get the low hanging fruit with perimeter
> > security then we will spend much less time chasing the things that
> > get inside. We will be better able to identify and deal with
> > nefarious activity that gets past the perimeter if we siphon off
> > everything we can at the perimeter with good perimeter security
> > practices. Host based prevention is very effective. It can be very
> > costly in terms of dollars and administration time. It is most
> > important for sensitive servers. We need Host based prevention. We
> > also need to employ best practices at the perimeter. We need
> > defense in depth.
>
>
>   I think that one of the concepts from the Jericho forum and
> elsewhere is that the perimeter is gone.  In the days when
> firewalls first appeared in banks, to protect a network of Windows
> 3.1 machines that could barely squeeze a TCP/IP stack in 640K and
> that machine was only used to run two applications that only talked
> to the banks mainframe, in those days a network firewall had some
> usefulness.  Nowadays every laptop has more processing power than
> the firewall that originally protected the bank and therefore has
> the power to protect itself.  In the old days we didn't have
> thousands of computers leaving campus and then coming back the next
> day, we didn't have everyone reading email and instant messages etc
> (multiple avenues of attack).

I'm in total agreement that the "perimeter" that we have now is not
the same defensible position that once existed.  That said, there's
still a lot of value in a /detection/ model that takes into account
natural bottlenecks for traffic.

While I know that all manner of malicious code enters campus by legs,
bikes, cars, and buses, once it's here and on the network, most of
it--nearly all of it--will be trying to talk to the internet at
large.  There are many problems with trying to keep malware from ever
getting on campus, however no matter how it arrives, I can at least
detect it based on those few places where traffic's aggregated enough
to support consistent and thorough analysis.

--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061


>   I agree that prevention is economical, that is why I prefer a
> host based IPS that can prevent more problems than a firewall on
> the border.
>
>   We can repeat the defense in depth mantra all we want, but a good
> security warrior puts their resources in "defensible positions".
> Cities no longer have walls because in the modern world we have
> tanks and airplanes.  I think a modern network should have good
> host defenses, and a good local police department to snuff out
> infected machines quickly.
>
>
>
> > ---- Original message ----
> > > Date: Thu, 14 Jun 2007 08:33:44 -0600
> > > From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
> > > Subject: Re: [SECURITY] Thoughts on Jericho Forum
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > >
> > > Endpoint security is a great idea. Deployed as part of a strategy
> > > of defense in depth, client-based security measures strengthen
> > > the entire system.
> > >
> > > But I would caution about going too far down this path too
> > > quickly. Relying solely on one tactic opens you to vulnerability
> > > when that tactic proves insufficient. I'd compare it to the
> > > realization that a safe in your bedroom is a lot harder for a
> > > thief to defeat than the lock on your front door. Does that mean
> > > that, once you purchase a safe, you no longer lock your front
> > > door at night? I don't think so; perhaps it DOES mean you don't
> > > have to buy a much more expensive alarm/deadbolt system for your
> > > front door.
> > >
> > > Microsoft has been touting this approach of hardened endpoints,
> > > ubiquitous authentication of traffic, encryption where required,
> > > and intelligence on the client. But Microsoft sells computers, so
> > > it makes sense for them to focus on that aspect of security. And
> > > that works great when all of your clients are Microsoft machines
> > > and are under enough of your control to have the relevant
> > > policies and agents installed.
> > >
> > > Lacking that kind of standardization and control, it makes sense
> > > to also have some sort of network-based protection. Whether
> > > that's NAC or departmental and border firewalls or network IDS or
> > > a mix of all these, depends on your environment.
> > >
> > > I love that Jericho and other folks are talking about these
> > > concepts, and in a small, controlled environment their
> > > suggestions would probably work great. I'll keep watching them...
> > >
> > > Steve
> > >
> > >
> > >
> > >
> > > ==============================================
> > > Steven Lovaas, MSIA, CISSP
> > > Network Security Manager
> > > Academic Computing & Network Services
> > > Colorado State University
> > > 970-297-3707
> > > Steven.Lovaas () ColoState EDU
> > > ============================================
> > > -----Original Message-----
> > > From: Bruce Curtis [mailto:bruce.curtis () NDSU EDU]
> > > Sent: Wednesday, June 13, 2007 4:55 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Thoughts on Jericho Forum
> > >
> > > On Jun 13, 2007, at 5:15 PM, David Morton wrote:
> > >
> > > > Lately we've been engaged in some conversation about the Jericho
> > > > Forum
> > > > and their thoughts on security.
> > > >
> > > >
> > > >
> > > > Key issues such as the ineffectiveness of traditional perimeter
> > > > defenses and encryption have rang true for a long time.
> > > >
> > > > Have the principals of the Jericho Forum been discussed at your
> > > > organizations and if so, what has come out of those thoughts and
> > > > discussions?
> > > >
> > > > David
> > >
> > >
> > >   Yes, we agree about a lot of things with the Jericho Forum.  We
> > > have no perimeter firewall and our video sessions work great, and
> > > our multicast and IPv6 connectivity works great also.
> > >
> > >   We have a couple of departments that are using Native Transport
> > > IPsec and it has been working well so far.  Which isn't a big
> > > surprise since Microsoft has been using it for 200,000 plus
> > > computers for quite a while.
> > >
> > >   http://www.microsoft.com/casestudies/casestudy.aspx?
> > > casestudyid=49636
> > >
> > >
> > >   http://www.microsoft.com/casestudies/casestudy.aspx?
> > > casestudyid=49593
> > >
> > >
> > >   http://www.microsoft.com/technet/itshowcase/content/
> > > ipsecdomisolwp.mspx
> > >
> > >
> > >   We haven't done it here yet but a University 60 miles away has
> > > installed a host IPS on all of their computers.  To me that is a
> > > much more efficient use of security dollars than spending money
> > > on a device at the perimeter.  At least one of the Host IPS
> > > packages that I have kept an eye on has protected from every
> > > Microsoft vulnerability due to buffer overflow since I started
> > > looking at the issue.  And that is protection before the
> > > vulnerability was found, reported, announced and finally patched.
> > >
> > >   In our environment we have thousands of laptops that leave
> > > campus every day, go who knows where, and then come back.  Even
> > > if we had a firewall  only one click on any single host on the
> > > network can lead to that host being compromised and then it could
> > > scan the entire internal network.
> > >
> > >
> > >
> > >  ---
> > > Bruce Curtis                         bruce.curtis () ndsu edu
> > > Certified NetAnalyst II                701-231-8527
> > > North Dakota State University
> > Karen Duncanson, CISSP, CCNA
> > UTS/Network Security Analyst
> > www.oakland.edu/uts
> > 248-370-2675
>
>
> ---
> Bruce Curtis                         bruce.curtis () ndsu edu
> Certified NetAnalyst II                701-231-8527
> North Dakota State University