Security Laboratory
- Security Laboratory: Defense In Depth Series
Hybrid Threats - June 18th, 2008
Can you build a Defense in Depth architecture without an architect? - Updated May 13th, 2008
The Attack Surface Problem - November 6th, 2007
The Uniform Method of Protection to Achieve Defense-in-Depth - February 26th, 2007
Security Convergence and The Uniform Method of Protection to Achieve Defense in Depth - September 7th, 2007
Protected Enclaves Defense-in-Depth - February 26th, 2007
Information Centric Approach to Defense-in-Depth - February 26th, 2007
Vector Oriented Defense in Depth - February 26th, 2007
Role Based Access Control to Achieve Defense in Depth - Updated December 26th, 2007
Security Convergence and The Uniform Method of Protection to Achieve Defense in Depth
September 7th, 2007
By Stephen Northcutt
Security convergence is an interesting trend that has been picking up speed heading into 2008. We are running network information that was formerly analog over our digital data networks, we are converging formerly separate network devices, especially at the perimeter, and we are starting to see physical and classic network security groups beginning to merge. If the trend continues unabated, it will end up saving us a lot of money and giving us a lot less actual remediation of risk than past practice. This trend is solidly in the uniform architectural approach to defense in depth.[1] The architectural approaches to defense in depth are a recurring theme in the course we author and teach, Management 512, SANS Security Leadership Essentials For Managers.[2] Let's look at some of the details.
====
1 http://www.sans.edu/resources/securitylab/367.php
2 http://www.sans.org/training/description.php?mid=62
Convergence of network traffic
"A lot of organizations, today, are considering converging voice and data on the same network, and, therefore, need to ensure that their existing networks can take on this additional load."[1] What is driving convergence or unified communications? According to Rich Tehrani, "cost has been portrayed in press coverage as the major driver, but we believe that functionality will eventually drive adoption as cost differences even out. Regardless of the primary motivator, we’re seeing that enterprises are most likely to adopt VoIP gradually, often deploying it by division or for specific call types."[2] To recap the current situation, "more businesses are moving to implement unified communications, mainly because of the efficiency and potential cost savings it offers. While most deployment today are small and limited, users are discovering that there is a down side to unified communications: a significant growth in network traffic that can slowdown application performance and cause other problems, according to a survey released Monday."[3]
"A survey of 576 unified communications users found that 75% said one-quarter of their network traffic in the last three months consisted of UC applications like VoIP, unified messaging, and instant messaging. The survey was conducted by Network General Corp., which polled its worldwide customers. [3] In the same study, "forty percent of companies polled said they use integrated voice, video and Web conferencing, and close to 70 percent have used VoIP, but only 12 percent cite voice communication as responsible for additional network traffic. Around 80 percent of respondents believe the network traffic from all their communications applications will increase over the next 12 months."[4, 5]
A Gartner study in 2005 stated, "To handle the increased demands that voice places on data networks, "90 percent of networks in North America today will require additional build-out to support voice, and 100 percent of them will require some configuration changes," said Gartner analyst Jeff Snyder.[6] "Jitter and packet drops that can be tolerated in an IP data network are key contributors to poor quality in VoIP. To absorb most jitter, buffering is often employed but buffers can overflow and cause drops plus significant delay that is also a cause of poor perceived quality. High bandwidth (the “big pipes” solution) can eliminate much of the buffering and drops, however, bandwidth is not inexpensive and is not a panacea for all that can occur on even the most robust of IP networks.[7] Chris Brenton, who teaches the perimeter security course for SANS, stated that a number of companies have backed out their initial deployments waiting till they upgrade the network.
Finally, we want to keep the security risks in focus, VoIP protocols are complex and poorly understood by most network engineers. The three biggest threats are denial of service, SPIT (phone spam) and fraud using targeted phishing against the VoIP user. The good news is that the latter two threats can be remediated with awareness training.
The bottom line, convergence of network traffic is going to happen, it is going to work and it will bring new capabilities to our workplaces that we can scarcely dream about today. The amount of time you spend in predeployment testing and design can dramatically impact your organization's level of expense and satisfaction.
Consumer VoIP
I wouldn't be surprised if the majority of readers that receive this newsletter already have a consumer grade VoIP service. As long as it is a backup service that is fine, but there are some quality rumblings starting to be heard. I have the Comcast service in Hawaii and have not experienced many problems at all, but there is a blog devoted to Vonage problems[8] and more famously, Skype ran into serious trouble Thursday August 16, 2007: "The company first acknowledged the service outage around 2 p.m. Thursday, and later identified the cause as "a deficiency in an algorithm within Skype networking software." It ruled out any link with the planned maintenance of its Web-based payment service on Wednesday, and said service was not the "victim of a cyber attack." The service had been sporadic but gradually improving during the business day in Asia on Friday. The number of users that can now sign in is "encouraging," Skype said."[9]
====
1. http://pcquest.ciol.com/content/topstories/2004/104093003.asp
2. http://www.tmcnet.com/news/executive-suite/deloitte-touche-phil-asmundson.htm
3. http://www.informationweek.com/software/showArticle.jhtml?articleID=201802478
4. http://www.webpronews.com/topnews/2007/08/27/unified-communications-bring-network-traffic
5. http://www.networkgeneral.com/PressDetails.aspx?NID=20078273072151
6. http://www.eweek.com/article2/0,1895,1898198,00.asp
7. http://www.tmcnet.com/it/0503/0503Finis.htm
8. http://news.com.com/5208-10784_3-0.html?forumID=1&threadID=29909&messageID=301226&start=-1
9. http://www.infoworld.com/article/07/08/17/Skype-problems-may-continue_1.html
Convergence of perimeter devices
"Unified threat management (UTM) is a term coined by Charles Kolodgy of International Data Corporation (IDC) in 2004 which is used to describe network firewalls that have many features in one box, including junk e-mail filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall. These are application-layer firewalls that use proxies to process and forward all incoming traffic, though they can still frequently work in a transparent mode that disguises this fact."[1] "The unified threat management space is a relatively new security appliance segment tracked by IDC that is predicted to grow to $2 billion by 2008." According to Secure Computing, Unified threat management systems must at minimum:
- Be an appliance
- Include multiple security features
- Have a hardened OS
- Be able to perform:
- Network firewalling
- Intrusion prevention (IPS) ("Stop Attacks!")
- Gateway anti-virus"[2]
Vendors include:
Cisco
Fortinet
Secure Computing
SonicWall
Watchgard
====
1. http://en.wikipedia.org/wiki/Unified_Threat_Management
2. http://www.securecomputing.com/gateway/unified_threat_management.cfm
3. http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1244/cdccont_0900aecd8027d090.pdf
Convergence of Physical, Network and Computer Security
In 2005, "Forrester Research projected a tenfold increase in U.S. spending on merging physical and logical access control, across both the public and private sectors, from $691 million in 2005 to more than $7 billion in 2008."[1] According to CERT's podcast on the subject, "Traditional silos will start to disappear, for example, boundaries between network security, physical security, and human resources. Single user identities are starting to emerge for all business transaction authorization and access. Identity management will include physical facility access and rights as well as network and application access and rights. Approaches like Common Access Cards are being used today to support physical access, network access, and email encryption, as well as to provision new employees and revoke the rights of terminating employees. Smart video and video analytics will be used to integrate and present all sources of video surveillance and to assist with forensics analysis. We can then collect physical security events captured by video surveillance cameras and correlate these with system and network access, for example."[2]
One bright note is that convergence may make Single Sign On(SSO), a reality. "SSO requires the convergence of traditional physical security with IT for a number of reasons, such as the following:
- Reduction of the cost associated with issuing and revoking authentication and access control credentials across information systems and facilities
- The capability to know where a person is in relation to network authentication
====
1. http://www.networkcomputing.com/showArticle.jhtml?articleID=194200006
2. http://www.cert.org/podcast/notes/21crowellcontos.html
3. http://www.giac.org/resources/whitepaper/physical/302.php