FACE-OFF: Is De-Perimeterization a Good Idea for Network Security?
Posted on: Tuesday, 23 August 2005, 15:00 CDT
Two debate the pros and cons of an approach proposed by the Jericho Forum.
Yes
Jamie Bodley-Scott
AppGate Network Security
(Editor's Note: This is a summary of a paper that won the Jericho Forum Challenge at the recent Black Hat event. For the full paper, go to www. networkworld. com, DocFinder: 8425.)
The Jericho Forum is all about"de-perimeterization," which involves re-appraising where security controls are positioned. Businesses moving to the Jericho world need to change their thinking away from the "edge" mentality based on controlled denial of access through firewalls.
Instead, they need to adopt "core" mentality based on controlled access to servers/applications that would have to be Jericho-ready systems.To achieve anything in the short term,we need to look at the elements involved in the move to a more transactional relationship between users (and their endpoints) and servers/applications. The simplest model has five elements: the user (use cases, identity) ; the endpoint (security, client software); the communication channel (security); the server (security); and the application (software).
The communication channel is arguably more available than the other elements.To develop a workable approach, we need to explore the issues surrounding the two ends of the transactional relationship.Three models exist at the server/application end:
Jericho-ready systems: Applications that are Jericho-enabled should use Kerberos tickets for authorization to the services, be self-protecting (local firewall) and be prepared to encrypt traffic with SSL, if required by the centrally managed security policy.
Jericho-enabled servers: Older applications require a front end to handle interaction with the Jericho system. This is software that does data encryption and makes sure users are authorized to connect to the application.
Non-Jericho-enabled servers: The simplest solution is to protect the application server with a box in front of it that acts as a firewall, encrypts traffic from users and lets through only authorized traffic.
And three problems need to be addressed from the user end:
Users have no desire (or ability) to remember the details of all the systems to which they want access. It is desirable to have a fixed primary point of interface (PPOI) that understands what a user wants to do.
There must be some identity, authentication and transaction selection functions.This will be associated with the configuration of the server/application end, which permits the user access via Kerberos.
There must be a way of advertising system availability letting users know what systems are available under the current circumstances.
There is always going to be the need for PPOI. For now, PPOI products have to help with transactional tasks such as encryption for nonJericho servers. Over time the role of the PPOI will evolve toward control and away from transactional involvement.
Bodley-Scott is regional operations manager U.K. and Ireland for AppGate Network security. He can be reached at jamie.bodley- scott@app gate.com.
No
Joel Snyder
Opus One
Hiding behind a catchy buzzword ("de-perimeterization") and a heap of undebatable aphorisms, the Jericho Forum proposes to be the thought leader on network security in the 21st century At best, Jericho will help to raise awareness of the usefulness of a defense- in-depth network security strategy More likely, the forum will end up on the scrap heap of unrealized ideas and wasted effort.
The core of Jericho's thinking is old and obvious enough that security professionals will resonate with the harmonic goodness of the message: Your network should have defense in depth, and that means more than buying a lot of firewalls. Running around to lead that parade-in-progress gives the group credibility and a great base.
Unfortunately, the concept of radical new thinking just doesn't work in information security, something that Jericho's own vision acknowledges - yet ignores, with a Bullwinkle-esque "this time for sure" kind of certitude. If we have learned anything over the past 15 years, it is that large and architecturally elegant ideas die an ugly lingering and expensive death (consider public-key infrastructure [PKI] identities, X.400 e-mail and ATM to the desktop).
What works is step-wise refinement, the method of successive approximation and the brutal invisible hand of the marketplace. Hence, the Internet, a pastiche of concepts and technologies,each prototyped in a small environment,tested in the real world,and refined to success or abandoned before too many people got hurt.
Look at remote and mobile access, one of the forum's main targets. The problems with IPSec remote access are partially the result of developer tunnel vision, but they are equally the result of a changing environment. It was impossible to get IPSec right the first time, because the world changed. Inexpensive, fast and incredibly insecure Windows laptops, the demise of dial-up and rise of broadband, the need for passwords and the failure of PKI - all happened after IPSec left the gate. Instead, it solved the problems of its day while opening the market for SSL1VPN and IPSec Version 2 to serve the future.
We now have a healthy if chaotic, environment with multiple solutions, each measured, evaluated and refined in the real world of implementation. Rapid prototyping wins, because the world is too complex for premeditated design.
The Jericho Forum's answer is to step back and resolve the problems of remote access with a new and creative architecture that will somehow avoid the errors of existing solutions while magically solving todays requirements. This is even more naive than the absurd idea of removing firewalls from network perimeters. Just as today's hot topics (such as endpoint security) hadn't catalyzed when IPSec was developed, the future's new issues are equally opaque to us today Assuming that a fresh look at the past will help to predict the future serves only to distract us from solving today's problems today.
Snyder is senior partner at Opus One and a Network World Lab Alliance member. He can be reached atjms@opus1.com.
nww.com
What do you think?
Log on to Network World to express your opinion. Face-Off authors Jamie Bodley-Scott and Joel Snyder will add their thoughts to the discussion.
DocFinder: 8437
Copyright Network World Inc. Aug 15, 2005
Source: Network World
Related Articles
- MASERGY Introduces Secure, Network-Embedded Remote Access
- Enterasys Announces Secure Networks for Virtual Data Centers
- European Investment Bank Protects Critical Information, Provides Secure Access With Enterasys Secure Networks Solution
- Securities Operations Forum Partners With Mash Networks to Launch Internet Television Network for Securities Operations Professionals
- East Georgia College Delivers Secure Wired and Wireless Network Access to Students and Faculty With Enterasys Secure Network
- Microsoft Outlines Vision to Enable Secure and Easy Anywhere Access for People and Organizations
- Enterasys Networks Introduces Enterasys Sentinel, Industry's First Federated Solution for Secure Network Access Control
- Enterasys Secure Network Deployed By Travelex, the World's Largest Foreign Exchange Dealer
- ConSentry Networks Joins Microsoft's Network Access Protection Program; ConSentry's Secure LAN Controller(TM) Enforces NAP Policies With In-Line, Secure Networking System
- Netifice Delivers Industry's First Managed SSL VPN Service to Eliminate the Need for IPSec Clients
 |
 |
User Comments (0)
RSS Feeds