Friday, 31 October 2008

Pitchforks in sheds

I once heard someone describe network tools as 'pitchforks in sheds' - the basic premise being that although the tools themselves were all incredibly useful, without someone to use them, they are essentially useless.

I've looked at a lot of security tools in my time, and have seen some great ones. HP recently showed me WebInspect, which looks like a great hacking tool on its own, and an awesome development and QA tool in conjunction with other pieces of software in the family. They obviously know this, because they invited me to a dinner which I sadly couldn't make. I always think that when a company is confident enough to invite critics for a dinner, the tool is probably a market leader which wants to stay in that position. If it's just a presentation, then it's probably a start up. Just a thing I've noticed over the years... anyway, back to the point.

There are a great many tools out there which are very useful for networks, security focused or otherwise. However, without someone to roll-out, manage, and insert into processes - i.e. to get them used now and in the future - you may as well make a big pile of company cash in the car park and have bonfire night early.

Wednesday, 29 October 2008

Build your own network

I had an interesting security conversation today, about network architecture. Hmm... don't run away just yet.

I think we'd all be agreed that it is safest to put your production networks away from your testing networks, and to make sure the data in your test areas is not live sensitive data - I'm not going to go over well trodden ground.

I also think most would agree that splitting web servers from applications and both from data is the way forwards, and using firewalls to split them out is only sensible. We may also split out external and internal DMZs on the internal and external firewalls, and of course our internal LAN. This is all stuff that can be found in books and on websites, of course.

But what of the relatively new worlds of web services and 'cloud computing'? I chuckled recently when these were referred to as Marketecture. In reality, these don't change anything about the way we build systems, in fact sometimes they are just making it unnecessarily complicated for the poor souls designing and building it.

Back to my interesting conversation though. Picture if you will a 3 tier network, external firewall with external DMZ hanging off it, and an internal firewall with the LAN and data tiers hanging off it. Where do you put the application tier?

My companion pointed to a case where it was also hanging off the internal firewall, and asked whether it shouldn't be attached to the external firewall as well. I argued the point that it didn't really matter as you could just punch a hole through the internal firewall anyway, but is that really such a good idea? No, not really, so I capitulated, and realised that that was in fact how I have always done it in practical terms, I'd just never really thought about it too hard until faced with the direct question.

The fact of the matter is, the diagrams we draw of these things are really only ever representative. I don't think I've ever seen a network diagram which could be used to trace a real physical network - to make the important decisions, yes - to dismantle and rebuild, no.

Wednesday, 15 October 2008

In my opinion...

It's funny, I keep getting invited to dinners, phone calls, webinars, etc... by people who have done surveys, created documents, got an expert in, etc... and I keep on politely turning things down. Not because I don't want to speak to people, far from it, I'd love to talk all day, but because I have more pressing engagements, and my life, to get on with.

I received a missive from Compuware earlier in the week, who have actually done a really good job of surveying IT professionals and printing out some relevant statistics. It makes a refreshing change from previous surveys I've had to rip apart here. Having said that, I'm not really 100% sure what they are trying to achieve with it, and fully expect them to explain by return of mail tomorrow...

HP have also come knocking, with an invitation for dinner up in London in a couple of weeks. On a Monday night. I don't know about you guys, but I have busy weekends, stay up late, watch "Poker After Dark" (Hellmuth is a dick isn't he?), occasionally even play poker and even less frequently win, but I'm always up past my bedtime. Monday morning, I get up at 6am, drive to the gym, churn out a couple of k's, and by the time I go home I'm ready for anything except getting on a train to London. I'm normally asleep on the sofa by 6:30pm.

I know exactly why they approached me though, and I AM interested in what they have to say, just not in London on a Monday night. Southampton on a Wednesday lunchtime, when they're paying, different matter entirely. And I think that's really my point here.

Neither of these companies is wrong, bad, or even out of line. They have both done good things, reached out to me in a polite and positive way. However, I can't help thinking that something isn't working. How much research gets done in the name of security, only to find that 70% of attacks/breaches/losses are accidental/internal/external/laptops? How much of it do you read?

How many solicitations do you receive on a daily basis for your opinion/answers/blog space/ or just to plain sell to you? How do you like it?

I like the personal approach, and don't even mind when it comes through a third party, although I'd prefer it was direct from the companies themselves - shows more respect somehow. Just a perception maybe?

I like the offer of something for my time/blog space/amazing company - it doesn't have to be much, but I kind of value my time, and it doesn't normally come that cheap.

I hate being sold to. I've worked for vendors all my working life in one way or another, and know what every sales cue sounds like a mile away. I will most likely lead you down a very inviting path and slam the door in your face rather than buy anything, sorry, but I just don't own the budget, I'm a contractor. By the way, you can hire me... :)

Monday, 13 October 2008

Dog eat dog

I had lunch a couple of months back with David Lacey, one of the thought leaders of the Jericho Forum, (who I STILL think have the right idea, in case anyone was wondering). We talked about literally hundreds of different topics, but one which has stuck in my mind was about how good companies often lose out to not-as-good companies.

Hands up who remembers Dr. Solomon? Arguably the best anti-virus of its day, 10 years ago, this neat little tool was as cool as digital watches had been 10 years previously, and on the way up. Today, type Dr. Solomon into Google, and you get McAfee. They used to fight like cats and dogs, but McAfee continues on - did they maybe acquire them?

And who is the biggest of them all? Well, it's Symantec, the fourth largest software company in the world, who just spent a whopping $785m on MessageLabs in the middle of the biggest economic downturn in 80 years. Symantec, who previously bought Vontu, Veritas, Norton, etc... deep pockets, but I'm not 100% convinced it has bought all the best toys, just the shiniest.

And in this game, that seems to be what counts. I commented last week about the RSA and InfoSec shows not being what they used to be. I like nurses' uniforms as much as the next man, but it isn't security. The big stands go for 10s of thousands of pounds, and I can't help feeling we're losing out on some great ideas, more so as we hit recession head on.

It's time to batten down the hatches for everyone, so I wonder how this will affect further acquisitions? Sadly I think we will see some good little companies being snapped up for less than they're worth. Happily I think we'll see more development taken in-house, and more of these developers looking for safer permanent jobs. Maybe Symantec will come up with some ideas of their own instead of buying up all the other good ones?

Wednesday, 8 October 2008

All the shows

I've been ignoring the usual slew of mails I get telling me that RSA Europe is just around the corner, not because I don't care about the shows any longer, but because I can't see myself going this year due to work commitments. Not that I don't want to go either, it's always interesting to see what's up and coming, and who has made enough money to get there this year as the prices escalate still further.

I have a couple of issues with the RSA show, the most off-putting being that it is miles out in Docklands, and takes me 2 hours to get to by train, and longer by car. There is ample parking of course, but at a crazy cost which ensures I will only be able to afford to stay for an hour or so.

And maybe that's enough for shows these days. To be clear, I'm not anti-RSA, I enjoy their shows, they flew me out to San Francisco earlier this year (with disastrous results sadly) and gave me a free conference pass, just for writing something about encryption, so in fact I probably owe them. Without SecurID I wouldn't have started in security in the first place, so maybe they owe me. :)

The problem with the RSA show, and InfoSec is that they have become the victims of their own success, and IT Security companies are no longer the one or two-man band start-ups from a garage, but multi-national corporations with oodles of cash to spend on flashy marketing and shiny suits.

The first RSA shows were a group of like-minded guys in sandals with long hair showing each other what cool stuff they could do. I wish it was more like that now. I fear however, that we have lost those days forever. In their place, I suppose the 21st century marches on, but that doesn't mean I don't miss the BBC model B, ZX81 and the Amstrad 464 either.

Sunday, 5 October 2008

Rewriting the Code

"Can you take a quick look at this please, Rob?"

The 'Group' of which our company is the shining star (i.e. highest returns) has been trying to put together what they refer to as a 'Code of Connection' such that everyone who attaches to our Global WAN comes under the same set of rules. Sounds like a reasonably simple task you might think, unless of course you had ever had to write one yourself... I, however, did not have to write one, merely cast a critical eye over the work in progress before me, and comment on it.

Half an hour later I emerged from my task, confused and rubbing my eyes. I had a thought which I am positive anyone practicing security today will have experienced - "there's a lot of words there, but I'm not certain that everything's been covered, I have no proof..."

Basically, I had no idea what was required from the Code, because I didn't know what it was trying to be. So, a quick Google search revealed to me what I was looking for, the difference between Policy, Standard and Procedures.

This is when the trouble started. I went back with a handful of notes which I'd put together in PowerPoint and printed off. Having explained the differences, I was asked to pull everything out of the Code of Connection that wasn't Policy, and send it back to the IT Security team.

I then spent 3 days putting things into tables, deleting headlines and putting them back in, writing bits, deleting them again, and generally getting in a mess.

Realising that I needed a better reference, I went back to basics, and pulled out the IT Policy. To my surprise, I noticed that the Policy was actually called "IT Standards", a collection of Standards from across the group, all in one place.

I think I may have just created a monster. I'll let you know how it goes...