Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Tue, 18 May 2004 20:56:40 -0400
At 05:28 PM 5/18/2004 -0400, Paul D. Robertson wrote:
They're also unlikely to read Firewall-Wizards, and therefore unlikely to get any of the points made...
Exactly, so none of this filters down to the average guy.
However, one of my original points still stands- if we the security community make common practice to question connectivity _at_all_ then it's more likely that such ideas will filter down to those who are interested.
Some have been doing it awhile, hasn't worked yet. We can check the archives but you've done it, Marcus has, and several others (including me a few times). Glaciers move quicker, we need more people and preferably people with bigger armorments. If you mean the ENTIRE security community, put me in coach. Oh, that's just as soon as we get them to agree as well.
[I know a fair number of folks who administer small networks who care about and spend time on security- if "nobody does it" or "nobody gives me a reason to do it" then it doesn't get done, but with peer activity and good rationale, it has a chance of being adopted.]
Yup, I'm one. Total company staff across all divisions and locations ~35, not exactly a huge multinational here. Now that I'm a charter member of the club, exactly how much does that increase my clout with vendors and customers that have outrageous network requests.
I'm going to use a real world example. Two years or so ago, I met a network administrator for a swimming pool company at a conference. They said "I'd like to do more security stuff, but it really doesn't apply, we sell and maintain swimming pools- like $large_name's house, $important_CEO's name's house...." I said "Let me get this straight- you have people driving large trucks full of chlorine with access to $list_of_people's residences, and you don't think you have a good case for security?" Now, does that mean they get to go out, purchase 3 firewalls, 2 AR-15's and a set of frequency hopping bone conductive radios? Nope, but does it mean they can present some useful cases to management that allow them to do *what they really want to do*, which is secure their infrastructure in a sane way? Absolutely.
Good, exactly what I want. Now instead of you, me, Marcus (inventor of the original 'air gap' firewall;), and a half dozen others (OK, a few hundred) from the list doing it one on one in a conference bar, how about we target several hundred/thousand/million at a clip and make some headway. I just need to figure out a way to do it.
network, it is less than useful. I'm willing to bet that the bulk of the network connections (specifically the more insecure parts of the Internet) falls into the short term bucket, especially with home use.I'm going to offer a follow-up to "It doesn't have to be our fault to be our responsibility." It doesn't have to be our responsibility for us to try to make it better.Premise: these networks/hosts will be compromised, as air gaps are unlikely to be implemented and new technology connected devices will flourish, that creates a lot of places for bugs to breed.Premise: Every network operator we get to do the right thing[tm] means one less network to produce traffic which attacks us.
Unfortunately I feel we are creating a hundred networks a day and converting ten admins a day, the ship is sinking captain.
Premise: devices are moving toward interconnectivity via Infrared, Bluetooth, WiFi, 802.11, and other technologies. Direct peer-to-peer connectivity between these devices is coming and one day 'soon' walking down the street with one in your pocket will cause tens or hundreds of connections to be attempted/created/broken, with all the inherent risks.Premise: When this becomes a real risk, we'll get real solutions.
I fear that soon we will be leaking faster than we can bail. Add in the time for answers to filter down to the common folk and it ain't looking good. I've been around awhile, so have you if I remember right. I think about the industry when I started to now and the level of change is scary. Then I think of the level of change (threats) in say the last 5 years, very scary. It's going faster and faster, we will need a REALLY big bailing bucket in about 10 years.
Premise: security typically lags functionality as new technology rolls out (palms get synced to desktops before security knows a palm is in the building in most companies).Premise: New technologies aren't attacked at the same rate as current technologies, and therefore need less protection.
Counter premise: we are creating them at a faster rate, law of large numbers will still soon apply.
Conclusion: Air gaps will not solve the problem as large breeding grounds, device connectivity, and security lag will allow networks to be compromised. At best air gaps are another stop gap measure, which is certainly better than nothing. but not much.Fact: If the network can be attacked via a foreign device, it doesn't have an air gap. That doesn't make air gaps less effective. That's like saying "If I ran Windows in an X86 emulator on my Sparc, it'd be as vulnerable as Windows!" Air gaps are effective protection devices.
Never intended to argue air gaps aren't effective, intended to argue that the definition of air gap changes and that business demands will cause bridging (i.e., not effective long term). Consequently it is like every other tool in our belt. Theoretically proxies work just fine, if they greatly restrict what you can do and validate all the input. They don't always work in practice because people don't do that and they always need another hole through the wall or another appliction running over HTTP. Air gaps will work well, until devices cross the gap because we didn't notice (or have a choice). When we notice the device will be ingrained into the business process and we will not be able to stop it at the door. Then we cobble together something just like always and start searching for the next evolution of the tool.
I've worked in places where you couldn't take a pager, camera, laptop, or whatever else into the facility. The air gap there was particularly effective.Whine: The security professionals in the Internet community need to take a longer view. Until we 'solve' the problem for the average guy playing a short term game (or at least greatly reduce his risk) we can't really solve the issue in our own networks, we can only play technology catch-up. WeCounter-Whine: You can't dismiss strategic thinking then say we need to take a longer view!
Not my point, I was claiming the 'strategic thinking' wasn't strategic enough (in fact I'm not sure it is strategic, really). Strategic thinking that claims people need to understand their critical infrastructure vs. their non critical and they need to understand the concept of air gaps across technology that doesn't exist yet and enforce all that, only works for the best and brightest not the average guy. It also is not truely long term strategic thinking, IMO, more like medium term. Why, because it will eventually fail, maintaining a true air gap is difficult and requires complex planning, not good. I want to expand the pool to a broader base, not just critical 'national' or 'large company' infrastructure but critical small company infrastructure. Why, because those guys become government contractors and contractors to large companies. A knowledge based economy can mean a critical VPN to a one guy shop to debug a showstopper production problem. This is especially true in the financial sector when an overnight delay can cost millions. I can assure you that if it is 'bridge the air gap' or be out several tens of millions each day, some one WILL walk into your office (been there, seen that). So does the air gap improve the situation, yes, production problems do not occur every day and new technology devices do not sneak in everyday. Is the air gap practical, certainly for large corporations, probably for medium corporations, only somewhat for smaller corporations, and not practical for homes, IMO. Is a device taken home going to find it's way onto a production network, you bet. I'm not trying to say that air gaps are bad. I DO think the discussion is good. In fact any discussion that educates people to improve security is worth my time. But I am old enough to remember having similar discussions about proxies, so are you.
need to be involved either via this list or another mechanism in helping set device/protocol 'best practices' and beating vendors about the head until they do it, so security is designed in rather than cobbled on. WeNobody's willing to pay for security to be designed in, can't in that battle.
But I want to eat my cake and have it too :-). Seriously, this could be as small as banning or walling bad protocols from production systems due to published 'best practices'. Tell me this isn't a requirement of 'air gap' or better yet, explain your air gap if the production environment requires integrated bluetooth or 802.11 protocols :-). Sometimes it helps the small guy to have a published 'best practices' document to hit the boss on the head with. If enough people do it, the market will respond. If it's me, you, and the dozen other list members that are pains in the vendor's butt, we'll lose. Now the have my cake and eat it part: let's make the 'best practices' list bigger. There is a boat load of IQ points and experience here, we ought to be able to see if it is practical or if diverse requirements kill it. How many people on this list? If we could create a 'best practices' suite (small business, home, large corp, critical infrastructure, ...) and say 30% of the list signs on to pound vendors and bosses about the head with it as circumstances permit, wouldn't that broaden the discussion base and improve security education and hopefully the state of network security? (OK, so I like to dream big)
need to concentrate on how we solve the political/corporate/vendor issue and not the technical issue because the technical issue isn't soluble (not that the political issue is, but we might get more bang for the effort buck). Basically I'm damned tired of fighting the same war and upgrading from a rock to a knife to a dagger to a sword to a flintlock to a ... So air gaps are nice, but in the long run, it's just another musket, one that will be circumvented by targeting devices difficult to air gap (PDAsThe original message wasn't about airgapping desktops, it was about airgapping non-user production networks, such as power distribution systems, medical equipment (think the a CAT scanner should be on the same network as the person in the mail room at the hospital?)
No but at some point the CAT scanner will be on the same network that the tech's diagnostic computer is on, and where was that last? Or are you saying that every CAT scanner installed will have a dedicated diagnostic computer and that media with diagnostic software upgrades will be vetted before being allowed to cross the air gap (remember the difficult to maintain, complex planning comment)? And last I checked some desktops exist in production areas, like monitoring systems and operator consoles. I never intended to imply it was the mail clerk's desktop. How about we make it the operator's desktop and he wants to download a log to take and study. He does it via his new wizbang toy that is not on this week's list of 'leave that device at the door before you enter' devices. You know, the one he plugged into his home network this morning to download some mail to read on break, oops.
syncing to desktop?). Before you ask, no I don't have a plan. Like most in a small company I spend 95% of my day digging a deeper foxhole and looking over the latest in flintlock design. We have a lot of bright people here and we ought to be using those IQ points for the long term instead of designing today's Mark XII network rock.Just like they're not appropriate for user networks where you can't enforce device additions, they're appropriate for sets of networks in lots of organizations. In my mind, air gaps are more effective than buying and deploying IPS (you want a new flintlock?) for a large number of networks.
Yes, it is a good tool. So were proxies for the time they lasted and the next tools will be even better, I'm sure of it. Face it, air gaps as a strategy have been around for a LONG time, Marcus' trademarked wirecutter 'air gap' firewall (just don't connect it, oh wait ...) and Proxies, 'the software air gap', to name a couple. All good tools in their time. But each was only the next evolution in tools, education wins over tools every time in my opinion, that whole teach a man to fish concept (but then I'm an old stubborn pain in the ass). Plus the more educated the boss becomes the less hassle we get when we say, "No you are not connecting that to the network" to someone. The more educated the vendors become the more selection of toys we have. The more educated admins get, the more voices in the choir singing to bosses and vendors. (Like I said, dream big) If we do not find some effective way of slowing this mess down, the boat will be swamped and the bailing bucket WAY too small. Maybe education as a long term solution is a dream, maybe not. I can assure you that air gaps won't cut it long term, good in theory but bad in practice is my call on that. If you are going to think in the strategic space, do it long term, tackle the hard problem. We have lots of talent here, is anyone else better qualified to attack the problem with a ten or twenty year view?
Sure, protocol and vendor issues abound, but so do the basic network design issues that are able to negate large swaths of protocol and vendor issues. We've touched on some of them in this thread, like inter-machine communication, separation, segmentation, per-class networking, etc. One answer isn't going to get us where we want to go any more than one vehicle is going to make everyone happy on the road. What we can do is ensure that mopeds don't go on freeways, skateboards aren't used inside the office and that people pull over for emergency vehicles. We won't get 100% compliance, but we'll get navigable roads and we can ticket the offenders. We can also deal with people who're not doing what the rest of us are doing by making them liable for their actions, or ensuring they need to be insured beyond what the rest of us are- either way is effective.
So let's write this stuff down and use it to educate the masses or at least the masters (and those insurance companies and contract departments). Find a way to give it to the little guy in the foxhole so he can be enlightened and enlighten others. I'm not against air gaps, I'm against magic bullets (OK, maybe not education). I'm against being handed a new tool and being told either 'trust me it solves the problem' or 'well, it is the best we can do'. I'm too old and been around too long to believe the former and I'm way too fed up and see way too much future acceleration in problems to accept the latter as sufficient. We need a better plan. For lack of something better, I always fall back to education (although contract liability is good too;). We just need a way to avoid glacial pace education, some way to make a dent either in vendors that produce trash or admins/consumers that buy/connect trash. I'm not sure 'best practices' is it but I'm willing to steal^H^H^H^H^H borrow a good idea from anyone on the list. I'm not even sure education is it, I'm open to ANY effective LONG TERM strategic plan. But I'm just not excited about the new tool, I'll wait for next month's upgrade. -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Worms, Air Gaps and Responsibility, (continued)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 17)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 18)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 19)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 19)
- Best Practices Paul D. Robertson (May 19)
- Re: Best Practices Dana Nowell (May 21)
- Re: Best Practices Gwendolynn ferch Elydyr (May 21)
- Re: Best Practices Dana Nowell (May 21)
- Re: Re: Best Practices R. DuFresne (May 21)
- Message not available
- Re: Re: Best Practices Dana Nowell (May 21)
- Re: Worms, Air Gaps and Responsibility Nate Campi (May 21)