Richard Bejtlich blogs
One of the strengths of the Internet has been the fact that it inverted the telecom model, where the network was smart and the end device (the phone) was dumb. The traditional Internet featured a relatively dumb network whose main job was to get traffic from point A to point B. The intelligence was found in those end points. This Internet model simplified troubleshooting and allowed a plethora of protocols to be carried from point A to point B.
With so-called "intelligent networking," points A and B have to be sure that the network will transmit their conversation, and not block, modify, or otherwise interfere with that exchange to the detriment of the end hosts. As a security person I am obviously in favor of efforts to enforce security policies, but I am not in favor of adding another layer of complexity on top of existing infrastructures if it can be avoided.
Now network security mechanisms are great. And networks are a great place to deploy some securiyt mechanisms, because they have the potential for visibility and scalability at a system level. But what about the "smart" part of the system? Shouldn't they have security, too? What is the proportion of your organization's IT security spend on security for the network versus the other areas of the system? When you focus on securing the network you are improving assurance of your dialtone, but what about payloads, logic, behavior?
It is much more difficult to map security onto the apps, databases, hosts, et. al. in some cases, this is why we have not seen a huge vendor presence in this space, and vendors drive a lot of the security market. But that does not mean we should not do it, after all that is the solution space. Bruce Sterling wrote in Tomorrow Now that our current healthcare and medicine models are obsessed with hygiene, but in reality hygiene is just admitting that we are clueless about microbes, and the immune system -- you know -- the stuff that actually keeps us alive. Hey, I am not against hacking away and using things like network security and hygiene, I even use them both myself, but let's not think that these are the end goals in and of themselves.
Comments