Saturday, 10 March 2007

So what is enough?

I said in my last post that firewalls and AV weren't enough. So what is?
I've already said somewhere else in my posts that essentially we'll never have enough. However, there are sensible measures that we can take, especially in auditing and monitoring.

As firewalls drove attackers internally, businesses adopted new security measures to keep the good people good and make sure everyone was authorised to do their jobs, and nothing else. This worked... to an extent.

AAA, great idea, authenticate everyone coming in to the network strongly, authorise them to do the things they are permitted to do. Proxies, I am a big fan of the proxies, Bluecoat is a wonderful device, and improves in leaps and bounds with every release. Firewalls, by the way, will not feature much in my blogs, I dislike them intently. They are far too overblown and popular for what they are. They are the Tom Cruise of the IT security world - a short man with a bad haircut and badly written software in a world where uglier and much taller devices have much more to offer the network. Sorry to mix metaphors, but you get my drift. [I am 6'6" incidentally.]

But as with all security ideas, this just created another problem. Now some of the internal users were cut off from causing harm. The opportunists mainly. But what of the rogue administrators, the CFOs and CTOs in full control of the network, the techie with a grudge? There are many.

Even if you have 2 factor authentication in your network, and I know of very few corporate networks which do in Europe, even now, then once you're in, you have a much wider scope for causing harm. Whatever access you are limited to tends to be at a group level still. Temporary accesses are often granted and not removed, many staff are transient by nature, outsourced, contracted or temporary workers. This creates even more headaches.

Network Access Control, or NAC is a big thing these days. Cisco and MS are making their typical dog's dinner of the whole affair. One vendor who I think will come out on top is ConSentry. Small at present, but nimble and receptive to input. The European SE is an ex-colleague of mine, Sean Remnant, and if he thinks it's good, it most probably is.

The only thing that worries me about these issues is the focus which we are still seeing. AAA is user security, NAC is network security, with user security tied in, but firewalls were network security and they didn't solve the bigger picture. 2 factor and 3 factor AAA hasn't made the threat go away. What are we doing wrong?

In my next post I will examine a full transaction from end to end and discuss what is needed to secure the whole thing.

No comments: