Monday, 24 September 2007

We shall fight them at the perimeter...

I was interested to read all the Jericho stuff going around recently. One thing I wanted to put right immediately was Stiennon's reference to Jericho being like the Flat Earth Society. That's completely the wrong way around. Everyone used to believe the world was flat, up until, ooh, I don't know maybe Aristotle, Strabo or Ptolemy, who all wrote about it. Yes, the Ancient Greeks knew way in advance of Columbus. That's not the point though, only in the last 2000 years have the educated believed, then proved, then observed that the Earth is in fact round.

Networks are nowhere near as old as the Earth. However, people laughed, mocked, criticised and ostracised those who believed in the round earth theory before it was commonly accepted - even though it was right. Jericho is much more like the round earth theory. It is old school network security
which hasn't moved with the times. The Flat Earth Society are a bunch of misinformed people who hang on to old thinking, ignore proof and science and construct paranoid theories because it suits their ends. I'm saying nothing more.

I have met with Andrew Yeomans a couple of times, once when I was a spotty young thing, once more recently, and I am fairly familiar with the Forum's work as a result of these meetings. After I posted a sarcastic message on Hoff's recent post about how Andrew failed to recognise me at InfoSec (hardly surprising now I have blossomed into a rugged hunk of a man) I had a mail from him, apologising. After I'd cleared up the coffee that I'd spat all over my desk, I dropped him a mail back to see how things were going.

First of all he pointed me here: as many of my questions were for personal reasons, and I wanted to know how I could get involved. Then he must have got sidetracked, because he went on to clarify things in a much more verbose way. Rather than spoil this with too much of my own moribund rhetoric, here's the salient points, straight from the horse's outbox:

"One key message is that "de-perimeterisation" is the business problem, not the proposed security solution. If we believed we could still maintain a neat defensive perimeter around our networks, I'm sure we would do so as it makes our work easier. But the business requirements drive us to do business - on equal terms - with partners; they ask us to outsource the management of IT assets; and they ask us to support connections for business partners within our networks. And those requirements mean that the traditional firewall defences are just becoming less useful as a true security measure, as we've already let outsiders into the networks."

This sums up my feelings about the current state of security very neatly. Anyone still crapping on about network security these days has missed the boat and needs a new haircut. Sorry, I knew if I started saying stuff it would end up sounding bitchy... back to AY:

"We still see some point of firewalls and other types of network defence, but they are in transition, moving from the old days of attempting to provide confidentiality and integrity, into the new view of providing availability or quality-of-service. So the firewalls filter out network junk; but the networks and systems should be designed to continue to function even if that junk got through."

So, Andrew even doffs his cap to the firewall/IDS crowd, but then makes the real point which is at the heart of all of this - the systems should be designed to continue to function, whatever gets through. Then, in time, the perimeter stuff is totally UNnecessary. This isn't his view, it's mine, I don't see the point of these lumbering great boxes all round the perimeter. As he says, they just become availability management boxes, and that can be built into software. OK, I admit they have their place now because the data security hasn't yet been built in, but they will disappear in favour of something more... virtual? distributed? a framework? A virtual distributed framework? Software at any rate. Take off the blinkers, look at the patterns, look into the future.

Is that the problem we have here, the Jericho Forum is looking too far forward for anyone to take it seriously? For all the talking I would have expected bloggers at least to understand these points a bit better, that they are not going to arrive on your doorstep in the morning. If I wanted to sell something that was popular now I'd make yet another NAC device.

"We realise that this has not always been understood in the media, so have been thinking of ways to present this more clearly. I came up with the term "Collaboration Oriented Architecture" though there's still debate whether that is the best terminology.

We have had debates whether this is de-perimeterisation or re-perimeterisation or micro-perimeterisation or whatever. The terminology might help the product marketing buzzword people, but it's not proven very useful when it comes to designing a security architecture. Of course we have Policy Decision Points and Policy Enforcement Points; and you could join these and say that's where the perimeter is. But when those PEPs and PDPs go round mobile items of data, it's a moot point to say it's a perimeter at all. As for "fractal perimeters", that might sound buzzword compliant, but I won't believe it has any real meaning until someone measures the fractal dimension."

Yes, "fractal perimeters" does indeed sound like some marketing turd with a linear constant greater than or equal to 1. Please ignore them as if your reputation depends on it. It will do. It doesn't even sound buzzword compliant to my ears, just bollocks, but Andrew is far too constructive and polite to say that.

I hope that's cleared a few things up for you nay-sayers and non-believers. Andrew parenthesises at the end of his mail, in case you were wondering: Great Britain coastline has a fractal dimension of around 1.24.

No comments: