Ok - perhaps this thread does need some focus, but please don't just dump
it - its rich with lessons for firewalls and security thinking in general,
me thinks. Discussions of how those with clearences have to behave (e.g,
Brian's dad) serve to enlighten all of us, *if* we can keep focused:
Exactly how do you do "serious" security - especially given rampant
Internet connectivity and the lack of management support that most of us
suffer? Despite the recnet *stellar* efforts by Brent Chapman (Building
Internet Firewalls, 1995) and Cheswick/Bellovin (Firewalls and Internet
Security, 1994) - some basics seem to have gotten lost in the flood of
minutiae. In all fiarness, Brent, Chess, and SMB *did* try - as evidenced
by their preface and first chapters work. However, there are some core
considerations that are still missing from discussions of INternet
connectivity (and network connecitivyt in general.)
Consider that an aware organization which has had the forethought to divide
its infrastructure into compartments that reflect its overall exposure.
This generally implies some sort of data classification - and, moreover -
some way of mapping those classifications into other, similar, remote
compartments of like classification.
Consider a company that has a business partner for the express purpose of
accomplishing some specific business goal (e.g., cooperative development in
technology, marketing, legalalities.) A great example in the current
Internet fabric is the first, virtual bank on the net: First Virtual.
First order, it looks like they went off to do their homework and came to
the correct conclusion that they had to have data classification and
technology to enforce it. Hence, they have a trusted OS under their
Internet toys - and, I assume, data classification schemes in place to
ensure that untrusted crap from the net does not infiltrate the parts of
their network that must be trusted. (Federal Reserve auditors are known to
be humorless in certain instances ;) ) While the data classification part
of First Virtual's scheme is speculation on my part, the trusted OS is not
(its documented here and there - I recently saw a banking industry
newsletter / mag that highlighted SecureWare's (of Atlanta) role in this.)
I'd like to hear more from Padgett (and others) about their battles in
establishing, maintaining, *and* terminating secure channels between
business partners as needed. Also, those "loose" internal connections
between organizational entities such as merketing and R&D need some work.
As it is, I'm numbed by endless meetings where-in a client tells me that
they have the same set of rules for everything (e.g., no secure channels
between sensitive parts of their organization or those of their business
partners.)
I'll be out at the RSA Data Security conference this week to look over the
shoulders of the folks who are doing interoperability testing of their
S/WAN implementations - results to be announced Thursday. Pointer of
relevance is ftp.rsa.com, there. Anyone interested in a write-up of the
conference? Anyone seen a deffinitive sumary of the "tunneling" stuff? (I
saw a research paper from a PHD candidate at isi.edu some time ago, and the
NSA is known to have something which I believe is called "Blacker" going
on.)
Seems to me that we need to have one (or more) of you "classified types"
(eg, those with "real" (e.g., "dogs and guns") security) talk to us about
*how* you overcome management's failure to recognize that a business
partner or customer connection must be goverened by policy and technology
that carefully restricts is functions / access to data - and what to do
about it until management wizes up (e.g., gives people franchise and money
to do the job correctly.) Seriously, discussions of the right title for
firewalls admins aside, does your CIO/CEO realy even have a clue? I doubt
it.
Meanwhile, I'll go back to the endless drone of meetings where-in simple
questions like "What is your business objective for this connectivity?"
seem to dumbfound those in charge. Worse yet, I've been invited to speak
to a group of former intelligence officers (most of whom are looking for
new jobs these days) about "Hacking Corporate Infrastructures" (Schwartau
and Steele's Inforwar conference.) The hard part is telling them that
their existing skill base is their best tool - the technology of Internet
connectivity (and network connectivity in general) is fragile, by-in-large
untested, and misapplied as a rule. You see, most of them - just like most
firewallers - seem to believe that some half-ass isolation solution (e.g.,
using untrusted OSs to support untested (obstensibly) firewalls under the
guidance of rules that change with the eb and flow of various
organizational politics) is OK. As friends (such as Ehud Gavron) and
acquaintances (such as Mitnick) of mine are known to say, "BzzzzzT! - No
cigar."
RayK 8) Ray Kaplan
Security Services - P.O Box 23210 - Richfield, MN USA 55423
(612) 861-7198 - FAX (612) 861-3736 - www: http://www.rayk.com/rayk
ray @
rayk .
com - Not an expert, just a battered vet.
Follow-Ups:
|
|
