Surviving in a hostile world
The myth of fortress applications
Tomas OlovssonCTO, AppgateProfessor at Goteborg University, Sweden
The view of the 90’s
Modems are used for remote access The Internet is used primarily for email,
news and later also world wide web (www)– 1994 there were 500 web servers– 1995 there were 10,000– 2000 there were 30,000,000
Security?– Private modem pools are managed and regarded as
secure enough– A firewall is enough to protect the network from Internet
threats– 1997: Question is what to buy: Stateful inspection firewall
or application level firewall [Rik Farrow]
Around year 2000
Mobile devices are becoming increasingly popular– Mobility: Computers move between networks
– virus problem– Software: New software follow the tracks of
mobile computers– Information: Internal information can easily be transferred– Devices: USB disks and memories begin to see the world
Internal security is now being addressed– Not all devices are secure and trustworthy– Malicious software cannot be allowed to spread freely– Information cannot be trusted to all staff (“need to know”)
The firewall?– It is still probably doing its job as intended
Traditional Internal Security
Other are segmented with firewalls, switches,
routers and otherequipment
Users
Users
Servers
Personal
FW
IDS
system
WLAN
Firewalls
Switches
and
Routers
Many networks lack
internal protection
Personal firewalls
protect workstations
IDS systems monitor
traffic
Customersupport
Accounting
Tech.department
Management
!
Large networks are beginning to be partitioned
Today – Devices
Internal security is more important than ever Mobile devices are in everyone’s possession
– Devices will be moved to and from corporate networks:Laptops, USB sticks, portable disks, phones, PDAs, …
– We should be able to check them before granting access– Some devices should not be allowed– Better control over internal information (authorisation,
access control) WLAN access exist on many places
– Networks are extended outside the firewall– Traffic from the outside may not even pass the firewall…– Our users communicate – risk for wiretapping– Other users use them without our authorisation
VoIP will be the next thing to integrate
WLAN
Customersupport
Accounting
Tech.department
Management
!!
Internal segmentation is evenmore important
Firewall
Today and communications
The Internet has replaced modems for remote access All users have access to mail and www
– Companies without web servers do not exist– Many threats to www (scripts, malicious software, etc.)
We need to access data from other organisations– Computers used to connect to ext. systems and share data
Systems automatically connect to home servers– Software updates, anti-virus, etc. (“phone home”)
Users are located everywhere– At home, remote offices, partners, customers, etc.– Information must be shared – it’s a business enabler
Applications (e.g. p2p) can be disguised as p2p app’s– They use port 80 for “firewall friendly” access – no control
We can no longer hide behind a firewall
Part
ners
Product
partners
THE COMPANYEmployeesContractors
WLAN
Access
Remote office
Home workers
Suppliers
Consultants
Outsourced
resources
Many complex solutions exist…
Mobile userswith VPN Firewall with
IPSec VPN
Servers
Push-emailsystem
IDS
WirelessNetwork
Internal firewallsSSLVPNInternet
Users
Management dep’t.
Productdevelopment
The problem with a Firewall-centric view
Firewall
Over time, the firewallwill have many holes
VPN
Legacy
Legacy
Proxies
VoIP
Web
IM
Firewalls
Remote access – a simple problem?
Internal networkInternal network
ServerServer ServerServer
InternetInternet
Firewall
Remoteuser
“VPN tunnel”
Corporate network
This is the same picture!
Internal networkInternal network
ServerServer ServerServer
InternetInternet
Firewall
Remoteuser
Corporate network
This is what we the firewall implements…
But once you are on the inside…
It used to be a modem…
Now we have:• Mobile computers• USB memories• PDA:s• Software• Remote execution• Internet access• Remote access• WLAN, 3G access• www• p2p• VoIP• mail, viruses• hacking tools• personal firewalls• outsourced administration• etc.
Protection must be where the assets are
Protection at the source It does not matter howyou got to the inside!
This would be easy to implement – provided...
Each application server and client can protect itself There’s central authentication system for all users
– Applications should not have to deal with authentication
And a distributed authorisation system– Each project (data owner) can decide who can do what
– User roles must depend on authentication method, user’s role, type of device, client location, time of day, etc.
Applications are only visible to authorised usersThen: No perimeter firewall would be needed (we would still keep it) No difference between local access and remote access! It would not even be necessary to have an internal network!
NAC – Network Access Control
Goal: check the connecting device before granting network access– Non-accepted devices can be connected to quarantine-
networks where they can update software, etc.– Some products may support identity-based access control
to networks
Emerging technology initiated by many vendors:– But with different names (McAfee, Microsoft, Symantec,
Cisco, …)
NAC – Network Access Control
An interesting approach– Vendor approach to solve the problem with disappearing
network boundaries– Means that the problems mentioned here are recognised
Requires an infrastructure on the network which implements the protection– Protection is enforced by the network, not the end devices– Does not enable secure end-to-end communication with
mutual authentication– May mean we get more point products to manage…
Network Access Control (NAC)
NAC is complicated:– Checks whether endpoints meet security policies and
updates configurations– Checks for and isolates endpoints and users that have
made it onto the network and seem to be breaching security policies
Management is done from different platforms depending on device and access type– RAS policies would be enforced by a VPN gateway– LAN user access enforced by switches and similar
equipment– Does not offer mutual trust – just checking the
connecting device
Forrester believes NAC is not the future– Next version is PERM - proactive endpoint risk
management
– “Policy-based software technology that manage risk by integrating endpoint security, access control, identity and configuration management.”
Network Access Control (NAC)
What is de-perimeterisation?
Move security control closer to the source – to the end-points
Be in total control of all users’ access rights
Be in control of the connecting device
Add policies that dictate how and under what circumstances each user can access each service
Make access ”seamless” and base it on cooperation between applications and users and the use of secure protocols
(short version of the Jericho Forum approach)
Move protection closer to application servers
The Jericho Forum Blueprint
In a de-perimeterised world companies will have more systems not connecting to “their” network, but transacting via inherently secure protocols
Tools: encryption, secure protocols, secure computer systems and data-level authentication
User access can be granted based on his/her identity, authentication strength, location, time, type of device, etc.
Full de-perimeterised workingFull de-perimeterised working
Full Internet-based Collaboration
Full Internet-based Collaboration
Consumerisation [Cheap IP based devices]
Consumerisation [Cheap IP based devices]
Limited Internet-based Collaboration
Limited Internet-based Collaboration
External WorkingVPN based
External WorkingVPN based
External collaboration [Private connections]
External collaboration [Private connections]
Internet ConnectivityWeb, e-Mail, Telnet, FTP
Internet ConnectivityWeb, e-Mail, Telnet, FTP
Connectivity forInternet e-Mail
Connectivity forInternet e-Mail
Connected LANsinteroperating protocols
Connected LANsinteroperating protocols
Local Area NetworksIslands by technology
Local Area NetworksIslands by technology
Stand-alone Computing [Mainframe, Mini, PC’s]
Stand-alone Computing [Mainframe, Mini, PC’s] Time
Co
nn
ectiv
ity
Drivers: Low cost and feature rich devices
Drivers: B2B & B2C integration, flexibility, M&A
Drivers: Cost, flexibility, faster working
Today
Drivers: Outsourcing and off-shoring
Effective breakdown of perimeter