Firewalls, Intrusion Detection, UTM

Defense _is_ sexy

Violet Blue begins a post reviewing a recent RAND study: Cyber-defense must change course, or else, with an apt summary of the report:

Defense isn't sexy.  We mythologize being the hacker, not the hacked.

The RAND study depicts network and system defenders as a hapless, hopeless, dispirited, confused lot. Defenders, it seems, have accepted the sum of disparaging or condemning remarks from journalists to bureaucrats and even their purportedly security practitioner peers and have raised the white flag.

Steve Werby (@stevewerby), Jerry Gamblin (@jgamblin) and I discussed this lamentable state of affairs in a thread on Twitter this morning. Jerry aptly summarized our shared perspective:

DefenseplayedwellPeople who say defense isn't sexy are not playing it correctly 

I'm not questioning Rand's results. Given the carnage we've witnessed, the smell of defeat is palpable.  Steve, Jerry, and I are more interested both motivating deflated defenders and debunking the myth that defense isn't sexy.

We're using the wrong analogs. We're living in the past, describing defense in what is not only antiquated language but misguiding and constraining imagery as well. I'm as guilty as anyone, having used castles and the Maginot Line as analogs when describing firewalls or defense in depth.

"It should & can be sexy if we change how it's done"

Steve Werby  instigated a discussion about change. We've traditionally characterized defense using military terms and static defenses. While useful at the time, these terms put us in a Helm's Deep mindset: standing on the parapets waiting for the Urukai onslaught and inevitable defeat. It's time to modernize analogs. 

Defend with an attitude

Organizations who have had their ineffective defenses overrun make headlines. Organizations that, as Jerry says, "play defense correctly", don't make headlines. They defend with a "Not in my house" attitude. They're confident but not arrogant. 

Roll your eyes all you wish, but let's experiment with sports analogs to give defenders a more positive outlook. Werby laments that "The state of our analogies are so bad that almost anything is better." He's right.

It's time to bolster defenders' attitudes by making defense Sexy. Virile. Spirited. Indomitable. 

Defense in depth? Perimeter defense? Out. Hereafter, convince your defenders to play shot-blocking, ball-trapping, in-your-face-man-to-man, grind-you-down-I-own-you defense. If you prefer football analog, forego the zone, play man up gang-tackling, blitz-your-brains-out D. 

You want better security? Replace what Rand tells us is a culture of "awaiting annihilation" with a culture of relentless pursuit. It's long overdue. If your defenders aren't up to the task, find or make defenders who hate losing, hate being embarrassed by unskilled little shites who've downloaded or purchased an attack tool, criminal conspirators or state actors. Gather your defenders and quote from the 1976 movie, Network: "I'm as mad as hell and I'm not going to take this anymore!" 

Eliminate Firewalls?

Director Lt. General Ronnie Hawkins Jr., USAF, announced in a 26 June 2013 interview that the US Defense Information Systems Agency (DISA) was building a security architecture that would ultimately eliminate firewalls. "In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA," Hawkins declared. "We’ve got to remove those and go to protecting the data."

Photo by Louise Cohen

Despite that Director Hawkins carefully explained that this represented a shift in emphasis from protecting networks to protecting data, speculation that firewalls would disappear from DISA networks, or generally, any network, resurrected a debate that's been raging for nearly as long as firewalls have existed. The party lines of this debate generally anchor in these themes:

Parties who favor abandoning firewalls argue that firewalls are no more effective today than the line of forts along the Maginot Line in 1940; they are incapable of adapting to the changes in user mobility, the attack landscape, attacker profile, and the levels of sophistication of recent attacks and thus easily circumvented.

Parties opposed to abandoning firewalls say that abandoning any line of defense weakens overall defense, and that perimeter defenses as well as network compartmentalization are essential in any containment strategy.

Three problems arise each time folks argue to eliminate firewalls:

There is a tendency to think of a firewall as a hardware device or software rather than to think of the functions that the devices or software perform. These functions include address translation, network traffic inspection, routing, application proxy, content inspection, traffic or content filtering (blocking or removal), and logging. The functions collectively attempt to enforce security policies built around the traditional "AAA" model (authentication, authorization, and auditing).

 There is a tendency to discount the functions of firewalls that are effective. Firewall systems remain an effective way to protect networks where data are hosted against attacks that threaten data availability (e.g., traffic- or system-crippling DoS attacks) and to control costs of resources. On the Firewall Wizards mail list [fw-wiz], Tim Harris of FBN Services posts: 

    The largest function that firewalls perform today is a coarse filtering of traffic. They eliminate the obvious bad traffic as well as traffic that is misdirected… That reduces my cost because I need less bandwidth and less robust equipment. It also means I save on CPU cycles because that traffic is checked once at the perimeter rather than forcing every device to inspect it. 

    Coarse filtering is effective. Firewall systems are effective coarse filters. Given how many security systems are not effective, why eliminate one from your arsenal that is? Simply put, don't eliminate firewall systems, but use them where they can be most effective. As Greg Young posted in [fw-wiz], "a more complex Internet edge doesn't mean your data center doesn't need protecting from the outside and the WAN."

Laarly, in far too many cases there's nothing but a firewall system between adversary and asset. We can argue that firewall systems were the worst invention ever because they allowed software development to remain lax with regard to secure programming practices and lax rather than secure host configuration. It's also hard to argue that firewall systems aren't the panacea they are commonly perceived to be. But until we can evolve and implement security architectures to truly protect data at rest whether in a data center, cloud, or client device (irrespective of who owns the device), it's impractical to leave data unprotected.

Don't abandon Firewalls: Complement or Collapse Functionality

DISA and similarly motivated organizations are not likely to abandon "firewall" functionality if they truly want to protect data. This functionality must be effectively collapsed close to data at rest (i.e., at the datacenters or clouds where the data are hosted), on the user device (in the forms of cryptography and data compartmentalization), and in policy (by adoption of permission models that adhere to the principle of least privilege).

Security architectures that seek to "protect data not networks" are in truth shifting security focus onto what attackers target: information. DISA and others are considering cloud architectures because the cloud (or datacenter) models separate application and data hosting from (client, user) network access. This will, over time, allow agencies or organizations to eliminate firewall systems "outside" the cloud or datacenter, and rely more on role-based access controls and other centralized security measures.

There's nothing magical or revolutionary in this strategy, and despite the illusion of controversy, it's a sound one.

This article originally appeared at The Tranformed Data Center 23 July 2013.