« Do not discount what matters | Main | Training Security People »

Comments

Fireverse

I think you might be surprised at the amount of security that actually is available in the "cloud." This notion that security appliances cannot be ported to a virtualized environment is so 2008. Firewall, VPN, IPS, and a decent amount of WAF are here. Throw in some additional auditing, centralized management, ability to isolate VMs, ability to control vMotion, the ability to deploy transparently, the inability for admins to switch off the security layer, and you've got a pretty decent option. Guys like Hoff might be a little too disconnected from what is currently offered, and right around the corner (EoY '09). It's not a Silver Bullet, but it is a full featured firewall (eeek...I know...firewalls are so 2001 with the hipsters but that Jehrico thing never really stopped any attacks did it?). And what's with the constant SSL bashing in the developer community? No one ever said SSL would do much more than encrypt and authenticate the traffic. OWASP crack me up (BTW none of this is meant to be personal). Maybe you should take up your local Check Point SE's offer to meet for lunch sometime and find out what's just around the corner. ;)

Rob Lewis

@fireverse

You will still have the same security problems in the cloud as exist now. Insider threats are now cloud provider staff as well as your own. Can you protect someone's data from admins with passwords? How do you prove it?

That is where the Jericho thing comes into play, and it stops that kind of attack.

Fireverse

Rob,

I disagree. You have some of the same security problems, but certainly not all the same. For example I don't have to worry about hypervisor attacks if my apps are not in a cloud. The apps may still mostly have the same attacks, but the platforms are different and present their own challenges.

I work with some of the largest and most complex companies in the world, and I can tell you that Jericho is not even on the radar. It's a tired argument.

Anyone that sits back and snickers about firewalls and SSL, and how "useless" that approach is either has not looked into security products in about a decade, is using Cisco, or works in an environment where those tools are not being used correctly (and yes we have a lot of worthless "security" professionals).

When I go to parts of the website of the company you work for (Googun) I received an error page:

http://www.trustifier.com/solutions/

Variable Value
PAGEPATH pages/solutions/
PAGEURL //www.trustifier.com/solutions/
PAGEDIR pages/solutions
PAGECONTENT Content: content.html
PATHCONDITION /services2/webpages/t/r/trustifier.com/public/pages/solutions//content.html
CWD /services2/webpages/t/r/trustifier.com/public
ISDIR_CONDITION solutions
page solutions

Jericho obviously didn't work for Googun.com However, if you were using a certain brand of firewall or WAF, I would be able to block that error message and keep an attacker from gleaning additional information.

I put a lock on my house because it is a reasonable amount of security and works most of the time. At this point it's a tough argument to claim that firewalls, IDS, and SSL are not reasonable levels of security that when used right knock out a huge swath of attacks. Defense in depth.

Can I protect cloud data from admins? With the right tools I can make it pretty damn difficult for them: which qualifies as protection. How do I prove it? Through audit trails. There are security offerings for the cloud. Certain people making claims that you can't run security appliances in the cloud are just plain uninformed (or stuck on Cisco offerings). Security appliances run software. That software can be ported to the cloud and has been if you are working with the right technologies. Defense in depth is available within the cloud.

People want to continue to put their faith in some sophomoric Jericho pipe dream? Go right ahead. But I'm not losing any deals to it, customers are not passing audits with it, and the DoD isn't using it.

Gunnar

@fireverse: here is question for you - How many legs does a dog have if you count the tail as a leg?

Answer: four

Just because you say something is a leg, doesn't make it a leg.

The network firewall is part of network architecture it has little to nothing to do with security; the only people who believe that it does are auditors and security people from the 1990s who enjoy this consensual hallucination

http://1raindrop.typepad.com/1_raindrop/2008/07/the-network-firewall-is-a-consensual-hallucination.html

In any case, there are lots of attackers that are very glad your views about counting tails as legs are widely shared.

Fireverse

Uh yeah that "dog" analogy was stunning, but I suppose it's easier to be dismissive than address anything I wrote. It's unfortunate, but your blog seems to be a haven for a few people that have not looked at firewall technology since the 90s, and probably didn't even understand it back then. Glad to see too that you almost read most of my post as I mentioned more than just network firewalls. Who's binary?

Modern network firewalls work at more than just layer three and four. My point was not that security ends with network firewalls, it's part of this crazy thing called "defense in depth." I have yet to hear any firewall/IPS/WAF/DLP people say that you don't need to build security into the application as well.

"The network firewall is part of network architecture it has little to nothing to do with security."

No you're right, "network firewalls" certainly don't provide any protections anymore...gee if only they could do something about the payload...you know understand what is being delivered to the different app layers, and then back to the client. IPS doesn't ever block or detect anything, and certainly not attacks. WAFs are non-existent and don't ever address anything that OWASP has been talking about. Injection attacks, buffer overflows, preventing error messages from being returned to the attacker...no none of this stuff is possible, and even if it was it doesn't qualify as "security" because you say so. Uh sure.

I suppose we should all just stop trying to knock out any malicious traffic on the wire because you say it has to happen within the app in order for it to really count as "security." Yeah there's tons of real world examples of only addressing security in the application and all its layers. Yep "security" as you define it is finally here so we can all throw away our network gear, and stop trying to develop any security that operates outside of the app as well. Who's hallucinating? Who's trying to call something a leg?

"In any case, there are lots of attackers that are very glad your views about counting tails as legs are widely shared."

Yeah I'm sure the theory you've been peddling here is shutting then down in droves.

Rob Lewis

@fireverse,

As far as I know our web site has not been up for several weeks due to changes that were supposed to be made, so I can't speak to that. Our CTO has been a bit too busy to get around to something that ranked pretty low on our list.

As far as Jericho goes, it is not achievable with status quo technology, but the arguments for it are sound. They had the vision, but lacked the cability to reach it. Perhaps they should have looked at us.

However, we do have DOD third party evaluation and verification of our product claims and a recommendation of sponsorship and EAL 6 certification.

What is more, at our appearance at CWID this June, the leading DOD Red Team was handed their first ever failed breach attempts (according to them) by Trustifier technology in a cross domain scenerio. They were even unable to open target files when given administrative privileges with passwords. Can you do that in the cloud?

DoD is aware of Trustifier's capability for document level access control and immutable audit features. As far as I know, that was the desired goal of de-perimeterization.

If you want to judge a technology based on a four year old web site, there is nothing I can do about that.

Details of Trustifier can be found on page 34 of the CWID guide:

https://www.cwid.js.mil/public/2009-Orientation-Guide.pdf

As far as firewalls go, I don't know which firewall company you sell lemonade for, but we provided a 7 layer firewall about 5 years ago or so, when combined with Trustifier, but never actively promoted it as it is part of our own end-to end enterprise offering. It went far beyond that limited app level awareness and whitelisting that is being hyped like a new kind of bread.

As far as Jericho, or DOD, well you know what they say about leading a horse to water...

The comments to this entry are closed.