RE: Worms, Air Gaps and Responsibility

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

At 05:28 PM 5/18/2004 -0400, Paul D. Robertson wrote:
> They're also unlikely to read Firewall-Wizards, and therefore unlikely to
> get any of the points made...

Exactly, so none of this filters down to the average guy.

> However, one of my original points still stands- if we the security
> community make common practice to question connectivity _at_all_ then it's
> more likely that such ideas will filter down to those who are interested.

Some have been doing it awhile, hasn't worked yet.  We can check the
archives but you've done it, Marcus has, and several others (including me a
few times).  Glaciers move quicker, we need more people and preferably
people with bigger armorments.  If you mean the ENTIRE security community,
put me in coach.  Oh, that's just as soon as we get them to agree as well.

> [I know a fair number of folks who administer small networks who care
> about and spend time on security- if "nobody does it" or "nobody gives me
> a reason to do it" then it doesn't get done, but with peer activity and
> good rationale, it has a chance of being adopted.]

Yup, I'm one.  Total company staff across all divisions and locations ~35,
not exactly a huge multinational here.  Now that I'm a charter member of
the club, exactly how much does that increase my clout with vendors and
customers that have outrageous network requests.

> I'm going to use a real world example.  Two years or so ago, I met a
> network administrator for a swimming pool company at a conference.  They
> said "I'd like to do more security stuff, but it really doesn't apply, we
> sell and maintain swimming pools- like $large_name's house,
> $important_CEO's name's house...."
>
> I said "Let me get this straight- you have people driving large trucks
> full of chlorine with access to $list_of_people's residences, and you
> don't think you have a good case for security?"
>
> Now, does that mean they get to go out, purchase 3 firewalls, 2 AR-15's
> and a set of frequency hopping bone conductive radios?  Nope, but does it
> mean they can present some useful cases to management that allow them to
> do *what they really want to do*, which is secure their infrastructure in
> a sane way?  Absolutely.

Good, exactly what I want.  Now instead of you, me, Marcus (inventor of the
original 'air gap' firewall;), and a half dozen others (OK, a few hundred)
from the list doing it one on one in a conference bar, how about we target
several hundred/thousand/million at a clip and make some headway.  I just
need to figure out a way to do it.

> > network, it is less than useful.  I'm willing to bet that the bulk of the
> > network connections (specifically the more insecure parts of the Internet)
> > falls into the short term bucket, especially with home use.
>
> I'm going to offer a follow-up to "It doesn't have to be our fault to be
> our responsibility."  It doesn't have to be our responsibility for us to
> try to make it better.
>
> > Premise: these networks/hosts will be compromised, as air gaps are unlikely
> > to be implemented and new technology connected devices will flourish, that
> > creates a lot of places for bugs to breed.
>
> Premise:  Every network operator we get to do the right thing[tm] means
> one less network to produce traffic which attacks us.

Unfortunately I feel we are creating a hundred networks a day and
converting ten admins a day, the ship is sinking captain.

> > Premise: devices are moving toward interconnectivity via Infrared,
> > Bluetooth, WiFi, 802.11, and other technologies.  Direct peer-to-peer
> > connectivity between these devices is coming and one day 'soon' walking
> > down the street with one in your pocket will cause tens or hundreds of
> > connections to be attempted/created/broken, with all the inherent risks.
>
> Premise: When this becomes a real risk, we'll get real solutions.

I fear that soon we will be leaking faster than we can bail.  Add in the
time for answers to filter down to the common folk and it ain't looking
good.  I've been around awhile, so have you if I remember right.  I think
about the industry when I started to now and the level of change is scary.
Then I think of the level of change (threats) in say the last 5 years, very
scary.  It's going faster and faster, we will need a REALLY big bailing
bucket in about 10 years.

> > Premise: security typically lags functionality as new technology rolls out
> > (palms get synced to desktops before security knows a palm is in the
> > building in most companies).
>
> Premise: New technologies aren't attacked at the same rate as current
> technologies, and therefore need less protection.

Counter premise: we are creating them at a faster rate, law of large
numbers will still soon apply.

> > Conclusion: Air gaps will not solve the problem as large breeding grounds,
> > device connectivity, and security lag will allow networks to be
> > compromised.  At best air gaps are another stop gap measure, which is
> > certainly better than nothing. but not much.
>
> Fact: If the network can be attacked via a foreign device, it doesn't have
> an air gap.  That doesn't make air gaps less effective.  That's like
> saying "If I ran Windows in an X86 emulator on my Sparc, it'd be as
> vulnerable as Windows!"  Air gaps are effective protection devices.

Never intended to argue air gaps aren't effective, intended to argue that
the definition of air gap changes and that business demands will cause
bridging (i.e., not effective long term).  Consequently it is like every
other tool in our belt.  Theoretically proxies work just fine, if they
greatly restrict what you can do and validate all the input.  They don't
always work in practice because people don't do that and they always need
another hole through the wall or another appliction running over HTTP.  Air
gaps will work well, until devices cross the gap because we didn't notice
(or have a choice).  When we notice the device will be ingrained into the
business process and we will not be able to stop it at the door.  Then we
cobble together something just like always and start searching for the next
evolution of the tool.

> I've worked in places where you couldn't take a pager, camera, laptop, or
> whatever else into the facility.  The air gap there was particularly
> effective.
>
> > Whine: The security professionals in the Internet community need to take a
> > longer view.  Until we 'solve' the problem for the average guy playing a
> > short term game (or at least greatly reduce his risk) we can't really solve
> > the issue in our own networks, we can only play technology catch-up.  We
>
> Counter-Whine:  You can't dismiss strategic thinking then say we need to
> take a longer view!

Not my point, I was claiming the 'strategic thinking' wasn't strategic
enough (in fact I'm not sure it is strategic, really).  Strategic thinking
that claims people need to understand their critical infrastructure vs.
their non critical and they need to understand the concept of air gaps
across technology that doesn't exist yet and enforce all that, only works
for the best and brightest not the average guy.  It also is not truely long
term strategic thinking, IMO, more like medium term.  Why, because it will
eventually fail, maintaining a true air gap is difficult and requires
complex planning, not good.

I want to expand the pool to a broader base, not just critical 'national'
or 'large company' infrastructure but critical small company
infrastructure.  Why, because those guys become government contractors and
contractors to large companies.  A knowledge based economy can mean a
critical VPN to a one guy shop to debug a showstopper production problem.
This is especially true in the financial sector when an overnight delay can
cost millions.  I can assure you that if it is 'bridge the air gap' or be
out several tens of millions each day, some one WILL walk into your office
(been there, seen that).  

So does the air gap improve the situation, yes, production problems do not
occur every day and new technology devices do not sneak in everyday.  Is
the air gap practical, certainly for large corporations, probably for
medium corporations, only somewhat for smaller corporations, and not
practical for homes, IMO.  Is a device taken home going to find it's way
onto a production network, you bet.  

I'm not trying to say that air gaps are bad.  I DO think the discussion is
good.  In fact any discussion that educates people to improve security is
worth my time.  But I am old enough to remember having similar discussions
about proxies, so are you.

> > need to be involved either via this list or another mechanism in helping
> > set device/protocol 'best practices' and beating vendors about the head
> > until they do it, so security is designed in rather than cobbled on.  We
>
> Nobody's willing to pay for security to be designed in, can't in that
> battle.

But I want to eat my cake and have it too :-).  Seriously, this could be as
small as banning or walling  bad protocols from production systems due to
published 'best practices'.  Tell me this isn't a requirement of 'air gap'
or better yet, explain your air gap if the production environment requires
integrated bluetooth or 802.11 protocols :-).  Sometimes it helps the small
guy to have a published 'best practices' document to hit the boss on the
head with.  If enough people do it, the market will respond.  If it's me,
you, and the dozen other list members that are pains in the vendor's butt,
we'll lose.  

Now the have my cake and eat it part: let's make the 'best practices' list
bigger.  There is a boat load of IQ points and experience here, we ought to
be able to see if it is practical or if diverse requirements kill it.  How
many people on this list?  If we could create a 'best practices' suite
(small business, home, large corp, critical infrastructure, ...) and say
30% of the list signs on to pound vendors and bosses about the head with it
as circumstances permit, wouldn't that broaden the discussion base and
improve security education and hopefully the state of network security?
(OK, so I like to dream big)


> > need to concentrate on how we solve the political/corporate/vendor issue
> > and not the technical issue because the technical issue isn't soluble (not
> > that the political issue is, but we might get more bang for the effort
> > buck).  Basically I'm damned tired of fighting the same war and upgrading
> > from a rock to a knife to a dagger to a sword to a flintlock to a ...  So
> > air gaps are nice, but in the long run, it's just another musket, one that
> > will be circumvented by targeting devices difficult to air gap (PDAs
>
> The original message wasn't about airgapping desktops, it was about
> airgapping non-user production networks, such as power distribution
> systems, medical equipment (think the a CAT scanner should be on
> the same network as the person in the mail room at the hospital?)

No but at some point the CAT scanner will be on the same network that the
tech's diagnostic computer is on, and where was that last?  Or are you
saying that every CAT scanner installed will have a dedicated diagnostic
computer and that media with diagnostic software upgrades will be vetted
before being allowed to cross the air gap (remember the difficult to
maintain, complex planning comment)?

And last I checked some desktops exist in production areas, like monitoring
systems and operator consoles.  I never intended to imply it was the mail
clerk's desktop.  How about we make it the operator's desktop and he wants
to download a log to take and study.  He does it via his new wizbang toy
that is not on this week's list of 'leave that device at the door before
you enter' devices.  You know, the one he plugged into his home network
this morning to download some mail to read on break, oops.

> > syncing to desktop?).  Before you ask, no I don't have a plan.  Like most
> > in a small company I spend 95% of my day digging a deeper foxhole and
> > looking over the latest in flintlock design.  We have a lot of bright
> > people here and we ought to be using those IQ points for the long term
> > instead of designing today's Mark XII network rock.
>
> Just like they're not appropriate for user networks where you can't
> enforce device additions, they're appropriate for sets of networks in lots
> of organizations.  In my mind, air gaps are more effective than buying and
> deploying IPS (you want a new flintlock?) for a large number of networks.

Yes, it is a good tool.  So were proxies for the time they lasted and the
next tools will be even better, I'm sure of it. Face it, air gaps as a
strategy have been around for a LONG time, Marcus' trademarked wirecutter
'air gap' firewall (just don't connect it, oh wait ...) and Proxies, 'the
software air gap', to name a couple.  All good tools in their time.  But
each was only the next evolution in tools, education wins over tools every
time in my opinion, that whole teach a man to fish concept (but then I'm an
old stubborn pain in the ass).  Plus the more educated the boss becomes the
less hassle we get when we say, "No you are not connecting that to the
network" to someone.  The more educated the vendors become the more
selection of toys we have.  The more educated admins get, the more voices
in the choir singing to bosses and vendors.  (Like I said, dream big)

If we do not find some effective way of slowing this mess down, the boat
will be swamped and the bailing bucket WAY too small.  Maybe education as a
long term solution is a dream, maybe not.  I can assure you that air gaps
won't cut it long term, good in theory but bad in practice is my call on
that.  If you are going to think in the strategic space, do it long term,
tackle the hard problem.  We have lots of talent here, is anyone else
better qualified to attack the problem with a ten or twenty year view?

> Sure, protocol and vendor issues abound, but so do the basic network
> design issues that are able to negate large swaths of protocol and vendor
> issues.  We've touched on some of them in this thread, like inter-machine
> communication, separation, segmentation, per-class networking, etc.  One
> answer isn't going to get us where we want to go any more than one vehicle
> is going to make everyone happy on the road.  What we can do is ensure
> that mopeds don't go on freeways, skateboards aren't used inside the
> office and that people pull over for emergency vehicles.  We won't get
> 100% compliance, but we'll get navigable roads and we can ticket the
> offenders.  We can also deal with people who're not doing what the rest of
> us are doing by making them liable for their actions, or ensuring they
> need to be insured beyond what the rest of us are- either way is
> effective.

So let's write this stuff down and use it to educate the masses or at least
the masters (and those insurance companies and contract departments).  Find
a way to give it to the little guy in the foxhole so he can be enlightened
and enlighten others.  I'm not against air gaps, I'm against magic bullets
(OK, maybe not education).  I'm against being handed a new tool and being
told either 'trust me it solves the problem' or 'well, it is the best we
can do'.  I'm too old and been around too long to believe the former and
I'm way too fed up and see way too much future acceleration in problems to
accept the latter as sufficient.  

We need a better plan.  For lack of something better, I always fall back to
education (although contract liability is good too;).  We just need a way
to avoid glacial pace education, some way to make a dent either in vendors
that produce trash or admins/consumers that buy/connect trash.  I'm not
sure 'best practices' is it but I'm willing to steal^H^H^H^H^H borrow a
good idea from anyone on the list.  I'm not even sure education is it, I'm
open to ANY effective LONG TERM strategic plan.  But I'm just not excited
about the new tool, I'll wait for next month's upgrade.


-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards