1. SYSADMIN De-Perimeterization De-perimeterization and life after the firewall NO BORDERS Enterprises and organizations used to feel protected behind the firewall, but…
of 4
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  • 1. SYSADMIN De-Perimeterization De-perimeterization and life after the firewall NO BORDERS Enterprises and organizations used to feel protected behind the firewall, but now VPNs, e-commerce, web services, and Web 2.0 have put an end to the comfort. The network perimeter is losing its significance, and the time has come for a new approach to security. BY JÖRG FRITSCH diesas, F irewalls used to be the pride of On today’s networks, security special- paradigm shift is an opportunity. Instead any security department. A well- ists have a difficult time enforcing the of repeating past errors by refining and designed firewall protected the traditional segregation of “inside” and extending the outdated firewall concept, internal network, and a lot of ports “outside.” New borders are opening up why not devise a whole new approach to needed to be open on the firewall. Serv- all over the place. Remote access via security that is tailored to the more com- ers advertised their services to anyone VPN, cellphones, PDAs, roaming note- plex reality of today’s networks? on the LAN. books, web services, and Web 2.0 tech- The Jericho Forum [1] is an interna- This black and white view of the se- nologies are slowly rendering the fire- tional security organization dedicated to cure internal network and the evil exter- wall obsolete. In the past, each server advancing a new vision for network se- nal network was never really as simple application had a clearly defined port curity. At the center of that vision is a as it looked – identity thieves and dis- and was easily controlled at the firewall, concept they call de-perimeterization, gruntled colleagues have always been but almost all services in today’s web which overturns the traditional view of a part of the corporate scene – still, the service model use http/https and port 80 the network as a finite space with an system seemed to work somehow. With- or 443. This emphasis on http makes it inside, an outside, and a perimeter. Ac- out firewalls, the current conception of difficult to disambiguate services at the cording to the Jericho Forum, the threats the Internet – with online shopping, network perimeter. faced by today’s networks are so vast home banking, and VPNs – would be Although this problem sounds like a and varied that “…The only reliable se- totally unthinkable. serious threat, some experts believe this curity strategy is to protect the informa- APRIL 2008 60 ISSUE 89
  • 2. tion itself, rather than the echo this theme that modern network and the rest of the IT networks should not depend infrastructure.” on perimeter boundaries for The Jericho Forum is a protection. (According to un- loose grouping of ISM (Infor- official sources, the trade- mation Security Manage- mark was necessary to avoid ment) experts affiliated with vendors misusing the term the Open Group [2], an um- for advertising purposes brella organization compris- without actually adhering to ing the joint forces of the the principles.) Open Software Foundation This vision of a secure net- [3] and X/Open Limited. work without borders is em- Open Group is well known bodied in the Jericho Forum’s for its Single Unix Specifica- “Commandments,” which are tion and other initiatives. available in PDF form from The Open Group trade- the Jericho Forum web page marked the term “Boundary- (see the box titled quot;Com- less Information Flow” to mandments”).
  • 3. SYSADMIN De-Perimeterization Conventional Security Model (Rings of Trust) Operating Network Data Application System LAN/Operation De-perimeterized Security Model Network Operating Operating Network Application Data Application LAN/Operation System System LAN/Operation Internet Network A Network B Figure 1: Conventional security models attempt to safeguard components from each other. The traditional “Rings of Trust” model (above) hardens each ring against the surrounding ring. The de-perimeterization model, below, assumes data is independent of context and must not depend on an application, operating system, or network for protection. The commandments are a collection of defending itself – even when placed viewing or modifying data was restricted of security principles – some equivalent on the open Internet. to authorized persons only. Data would to contemporary “best practices” advice Figure 1 sketches this new vision of be useless in the wrong hands. This ap- and others quite radical and new. The the data-independent network. At the proach, often referred to as Information work of the Forum boils down to an em- top, you can see legacy data and infor- Rights Management, IRM [4], entails phasis on four areas: encryption; secure mation with clearly defined perimeters. more than just encrypting the data. protocols – above all, SSL/TLS; secure The Rings of Trust model is designed to At present, many manufacturers are systems; and authentication and authori- support communication from the secure working on frameworks that support au- zation at the data level side (i.e., the side closer to the core) to thentication and authorization directly The concept of protecting the data it- the insecure side. At the bottom of the at the data level – Oracle, EMC/RSA, and self, rather than simply restricting access image is the new model. Data exists in- Microsoft DRM to name just a few. Some to the machine that holds the data, is a dependently of network boundaries and solutions are already available in part, fundamental feature of this new ap- must not rely on any application, com- although they are frequently tied in too proach. Another tenet of this de-perime- puter, or network for security. closely to the DRM model. Thus far, it is terized reality is that all networks are In a perfect world, information would hard to say which technology will assert untrusted. Each device must be capable possess attributes to make sure that itself. Standalone solutions are pointless; after all, de-perimeterization aims to fa- cilitate the flow of information. Some critical elements required to im- plement the vision of the perimeterless network are still missing – first and fore- most, secure terminal devices. Although Linux has an excellent reputation in this respect, it is still too vulnerable. The inherently secure systems that de-perimeterization relies on should not INFO [1] Jericho Forum: [2] Open Group: [3] Open Software Foundation: Software_Foundation [4] Oracle Information Rights Management: Figure 2: The Jericho Forum advocates policies, practices, services, and standards for a products/content-management/irm/ de-perimeterized Internet. APRIL 2008 62 ISSUE 89
  • 4. SYSADMIN De-Perimeterization be vulnerable to hijacking attacks on ac- If you are a road warrior who works corner, whether from laptop theft or a count of a minor programming error. with a portable computer in hotel rooms, carefully crafted attack on a protocol, And there is much to do on the applica- on customer premises, or at conferences, application, or system. Let’s hope that tion front. Web browsers in particular you know that today’s Internet is not far de-perimeterization will give us better are continually in the news with critical removed from the ideal of de-perimeter- protection than today’s assortment of security holes. ization. But danger lurks around every firewalls, virus scanners, and VPNs. ■ Commandments The Jericho Forum’s vision for de-perimeterization is embodied The Need to Trust in a document known as the Jericho Forum Commandments, 6. All people, processes, and technology must have declared and which is available through the Jericho Forum page (Figure 2) of transparent levels of trust for any transaction to take place. the Open Group website [1]. The 11 commandments of the Jeri- • Trust in this context is establishing an understanding between cho Forum are: contracting parties to conduct a transaction and defining the Fundamentals obligations of each party. 1. The scope and level of protection should be specific and • Trust models must encompass people/organizations and de- appropriate to the asset at risk. vices/infrastructure. • Business demands that security enables business agility and • Trust level may vary by location, transaction type, user role, is cost effective. and transaction risk. • Whereas boundary firewalls may continue to provide basic 7. Mutual trust assurance levels must be determinable. network protection, individual systems and data will need to • Devices and users must be capable of appropriate levels of be capable of protecting themselves. “mutual” authentication for accessing systems and data. • In general, it’s easier to protect an asset the closer protection is • Authentication and authorization frameworks must support provided. the trust model. 2. Security mechanisms must be pervasive, simple, scalable, and Identity, Management, and Federation easy to manage. 8. Authentication, authorization, and accountability must inter- • Unnecessary complexity is a threat to good security. operate/exchange outside of your locus/area of control. • Coherent security principles are required which span all tiers • People/systems must be able to manage permissions of of the architecture. resources and rights of users they don’t control. • Security mechanisms must scale; from small objects to large • There must be capability of trusting an organization, which objects. can authenticate individuals or groups, thus eliminating the • To be both simple and scalable, interoperable security “build- need to create separate identities. ing blocks” need to be capable of being combined to provide • In principle, only one instance of a person/system/identity the required security mechanisms. may exist, but privacy necessitates the support for multiple 3. Assume context at your peril. instances, or one instance with multiple facets. • Security solutions designed for one environment may not be • Systems must be able to pass on security credentials/ transferable to work in another. Thus it is important to under- assertions. stand the limitations of any security solution. • Multiple loci (areas) of control must be supported. • Problems, limitations, and issues can come from a variety of Access to Data sources, including geographic, legal, technical, acceptability of 9. Access to data should be controlled by security attributes of risk, etc. the data itself. Surviving in a Hostile World • Attributes can be held within the data (DRM/Metadata) or 4. Devices and applications must communicate using open, could be a separate system. secure protocols. • Access/security could be implemented by encryption. • Security through obscurity is a flawed assumption – secure • Some data may have “public, non-confidential” attributes. protocols demand open peer review to provide robust assess- ment and thus wide acceptance and use. • Access and access rights have a temporal component. • The security requirements of confidentiality, integrity, and 10. Data privacy (and security of any asset of sufficiently high availability (reliability) should be assessed and built in to value) requires a segregation of duties/privileges. protocols as appropriate – not added on. • Permissions, keys, privileges, etc. must ultimately fall under • Encrypted encapsulation should only be used when appropri- independent control, or there will always be a weakest link at ate and does not solve everything. the top of the chain of trust. 5. All devices must be capable of maintaining their security • Administrator access must also be subject to these controls. policy on an untrusted network. 11. By default, data must be appropriately secured when stored, • A “security policy” defines the rules with regard to the protec- in transit, and in use. tion of the asset. • Removing the default must be a conscious act. • Rules must be complete with respect to an arbitrary context. • High security should not be enforced for everything; “appro- • Any implementation must be capable of surviving on the raw priate” implies varying levels with potentially some data not Internet, e.g., will not break on any input. secured at all. APRIL 2008 63 ISSUE 89
  • Search
    Similar documents
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks