Re: Worms, Air Gaps and Responsibility

[Rogan Dawes <discard () dawes za net>]

I agree that it is a good idea to separate user networks from server 
networks (in the general case) and user networks from production 
networks specifically. In most cases, I think that air gaps are a bit of 
overkill. Using a firewall and defined interfaces that can be adequately 
secured (e.g. by not using MS file sharing :-) is sufficient in many cases.

On a related note, I've been thinking quite a lot about having switches 
perform firewall tasks. I see no reason why it should not be possible to 
classify ports into groups such as "server" and "desktop" (at a 
minimum), and apply appropriate filtering rules between the groups.

e.g. desktops may only talk to servers, not to each other.

Obviously, it should be feasible to use much more granular rules, 
perhaps based on 802.1x authentication of the connecting device.

e.g. I plug my laptop in at work. The switch requests me to authenticate 
using 802.1x. As part of the authentication process, the switch 
retrieves a user-specific set of rules, and applies them to the specific 
port that I have connected to.

This could be configured to allow me to talk only to the Unix servers 
that I am authorised to, communicate with the domain controllers to 
authenticate, access only the servers that I am allowed to, etc.

As a benefit, it would even prevent attacks against the local segment, 
as well as the rest of the network.

Thoughts?

I realise that this could end up causing a lot of work for network 
admins (analogous to locking MAC addresses to ports, perhaps), but with 
the right tools, it should be manageable.

Rogan


Paul D. Robertson wrote:

> Hospitals, banks, the U.K. Coast Guard...  The damage from the latest
> Microsoft-based worm isn't as widespread as that from the last one, but
> it's pretty darned bad in point cases.
>
> Why do people continue to connect critical production networks to
> user/administrative networks?
>
> Surely networking equipment is cheap enough that a real honest air gap
> (not some marketingspeak switch thingie) isn't all that difficult to
> deploy?
>
> Air gaps make great firewalls.  They rarely need upgrading, they're
> low-power and low-heat, and they're less filling and taste great.
>
> Worst-case, a few low-end firewalls to segment the users off from the
> production stuff should be a no-brainer these days.
>
> All the money, effort and time people are spending on IDS, IPS, and all
> the other buzzword-compliant devices, and yet we still don't have good
> solid separation and segmentation in places where, one would expect that
> the responsibility for running a critical network would require some level
> of protection to be displayed.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> paul () compuwar net       which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment TruSecure Corporation
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards