Good points in a post by Hoff "Cloud Providers and Security “Edge” Services – Where’s The Beef?", (emphasis added)
Yesterday I had a lively discussion with Lori MacVittie about the notion of what she described as “edge” service placement of network-based WebApp firewalls in Cloud deployments. I was curious about the notion of where the “edge” is in Cloud, but assuming it’s at the provider’s connection to the Internet as was suggested by Lori, this brought up the arguments in the post above: how does one roll out compensating controls in Cloud?
The level of difficulty and need to integrate controls (or any “infrastructure” enhancement) definitely depends upon the Cloud delivery model (SaaS, PaaS, and IaaS) chosen and the business problem trying to be solved; SaaS offers the least amount of extensibility from the perspective of deploying controls (you don’t generally have any access to do so) whilst IaaS allows a lot of freedom at the guest level. PaaS is somewhere in the middle. None of the models are especially friendly to integrating network-based controls not otherwise supplied by the provider due to what should be pretty obvious reasons — the network is abstracted.
For access control purposes, security is fairly straightforward, its a game of subjects (like users, user agents, claims, and web services), objects (like resources, URIs, data, and service providers) and what Hoff calls metastructures (like identity and policy). Security is a word that is meaningless by itself, you always have to qualify it: data security, application security, network security and so on. So when people talk about "edge" security, what is it they propose to "secure" an edge device? That's fine as far as it goes, but its important to note that providing security services to device on the edge doesn't do much of anything to either side of the edge. Too often people assume that securing the edge means everything "inside" the edge is also "secure" but this is smoke and mirrors for auditors not security for your enterprise assets.
Whenever you evaluate security and especially Cloud security, its important to enumerate the subjects, objects and metastructures that you are extending security services to, instead of just describing some security service in the abstract. This problem is a pandemic in information security the whole point of SOAP is that it was a firewall friendly protocol designed to go through the firewall, that was 10 years ago, yet today information security still relies on SSL and network firewalls as primary protection mechanisms (what are they protecting?).
**
Usenix LISA Training : Security in the Cloud (Hands-on) by Gunnar Peterson, Arctec Group
Who should attend: Security and software architects; anyone who needs to make design decisions for securing cloud technologies.
November 6, Baltimore
I think you might be surprised at the amount of security that actually is available in the "cloud." This notion that security appliances cannot be ported to a virtualized environment is so 2008. Firewall, VPN, IPS, and a decent amount of WAF are here. Throw in some additional auditing, centralized management, ability to isolate VMs, ability to control vMotion, the ability to deploy transparently, the inability for admins to switch off the security layer, and you've got a pretty decent option. Guys like Hoff might be a little too disconnected from what is currently offered, and right around the corner (EoY '09). It's not a Silver Bullet, but it is a full featured firewall (eeek...I know...firewalls are so 2001 with the hipsters but that Jehrico thing never really stopped any attacks did it?). And what's with the constant SSL bashing in the developer community? No one ever said SSL would do much more than encrypt and authenticate the traffic. OWASP crack me up (BTW none of this is meant to be personal). Maybe you should take up your local Check Point SE's offer to meet for lunch sometime and find out what's just around the corner. ;)
Posted by: Fireverse | October 07, 2009 at 02:15 AM
@fireverse
You will still have the same security problems in the cloud as exist now. Insider threats are now cloud provider staff as well as your own. Can you protect someone's data from admins with passwords? How do you prove it?
That is where the Jericho thing comes into play, and it stops that kind of attack.
Posted by: Rob Lewis | October 07, 2009 at 09:26 PM
Rob,
I disagree. You have some of the same security problems, but certainly not all the same. For example I don't have to worry about hypervisor attacks if my apps are not in a cloud. The apps may still mostly have the same attacks, but the platforms are different and present their own challenges.
I work with some of the largest and most complex companies in the world, and I can tell you that Jericho is not even on the radar. It's a tired argument.
Anyone that sits back and snickers about firewalls and SSL, and how "useless" that approach is either has not looked into security products in about a decade, is using Cisco, or works in an environment where those tools are not being used correctly (and yes we have a lot of worthless "security" professionals).
When I go to parts of the website of the company you work for (Googun) I received an error page:
http://www.trustifier.com/solutions/
Variable Value
PAGEPATH pages/solutions/
PAGEURL //www.trustifier.com/solutions/
PAGEDIR pages/solutions
PAGECONTENT Content: content.html
PATHCONDITION /services2/webpages/t/r/trustifier.com/public/pages/solutions//content.html
CWD /services2/webpages/t/r/trustifier.com/public
ISDIR_CONDITION solutions
page solutions
Jericho obviously didn't work for Googun.com However, if you were using a certain brand of firewall or WAF, I would be able to block that error message and keep an attacker from gleaning additional information.
I put a lock on my house because it is a reasonable amount of security and works most of the time. At this point it's a tough argument to claim that firewalls, IDS, and SSL are not reasonable levels of security that when used right knock out a huge swath of attacks. Defense in depth.
Can I protect cloud data from admins? With the right tools I can make it pretty damn difficult for them: which qualifies as protection. How do I prove it? Through audit trails. There are security offerings for the cloud. Certain people making claims that you can't run security appliances in the cloud are just plain uninformed (or stuck on Cisco offerings). Security appliances run software. That software can be ported to the cloud and has been if you are working with the right technologies. Defense in depth is available within the cloud.
People want to continue to put their faith in some sophomoric Jericho pipe dream? Go right ahead. But I'm not losing any deals to it, customers are not passing audits with it, and the DoD isn't using it.
Posted by: Fireverse | October 07, 2009 at 11:21 PM
@fireverse: here is question for you - How many legs does a dog have if you count the tail as a leg?
Answer: four
Just because you say something is a leg, doesn't make it a leg.
The network firewall is part of network architecture it has little to nothing to do with security; the only people who believe that it does are auditors and security people from the 1990s who enjoy this consensual hallucination
http://1raindrop.typepad.com/1_raindrop/2008/07/the-network-firewall-is-a-consensual-hallucination.html
In any case, there are lots of attackers that are very glad your views about counting tails as legs are widely shared.
Posted by: Gunnar | October 08, 2009 at 07:28 AM
Uh yeah that "dog" analogy was stunning, but I suppose it's easier to be dismissive than address anything I wrote. It's unfortunate, but your blog seems to be a haven for a few people that have not looked at firewall technology since the 90s, and probably didn't even understand it back then. Glad to see too that you almost read most of my post as I mentioned more than just network firewalls. Who's binary?
Modern network firewalls work at more than just layer three and four. My point was not that security ends with network firewalls, it's part of this crazy thing called "defense in depth." I have yet to hear any firewall/IPS/WAF/DLP people say that you don't need to build security into the application as well.
"The network firewall is part of network architecture it has little to nothing to do with security."
No you're right, "network firewalls" certainly don't provide any protections anymore...gee if only they could do something about the payload...you know understand what is being delivered to the different app layers, and then back to the client. IPS doesn't ever block or detect anything, and certainly not attacks. WAFs are non-existent and don't ever address anything that OWASP has been talking about. Injection attacks, buffer overflows, preventing error messages from being returned to the attacker...no none of this stuff is possible, and even if it was it doesn't qualify as "security" because you say so. Uh sure.
I suppose we should all just stop trying to knock out any malicious traffic on the wire because you say it has to happen within the app in order for it to really count as "security." Yeah there's tons of real world examples of only addressing security in the application and all its layers. Yep "security" as you define it is finally here so we can all throw away our network gear, and stop trying to develop any security that operates outside of the app as well. Who's hallucinating? Who's trying to call something a leg?
"In any case, there are lots of attackers that are very glad your views about counting tails as legs are widely shared."
Yeah I'm sure the theory you've been peddling here is shutting then down in droves.
Posted by: Fireverse | October 11, 2009 at 02:05 AM
@fireverse,
As far as I know our web site has not been up for several weeks due to changes that were supposed to be made, so I can't speak to that. Our CTO has been a bit too busy to get around to something that ranked pretty low on our list.
As far as Jericho goes, it is not achievable with status quo technology, but the arguments for it are sound. They had the vision, but lacked the cability to reach it. Perhaps they should have looked at us.
However, we do have DOD third party evaluation and verification of our product claims and a recommendation of sponsorship and EAL 6 certification.
What is more, at our appearance at CWID this June, the leading DOD Red Team was handed their first ever failed breach attempts (according to them) by Trustifier technology in a cross domain scenerio. They were even unable to open target files when given administrative privileges with passwords. Can you do that in the cloud?
DoD is aware of Trustifier's capability for document level access control and immutable audit features. As far as I know, that was the desired goal of de-perimeterization.
If you want to judge a technology based on a four year old web site, there is nothing I can do about that.
Details of Trustifier can be found on page 34 of the CWID guide:
https://www.cwid.js.mil/public/2009-Orientation-Guide.pdf
As far as firewalls go, I don't know which firewall company you sell lemonade for, but we provided a 7 layer firewall about 5 years ago or so, when combined with Trustifier, but never actively promoted it as it is part of our own end-to end enterprise offering. It went far beyond that limited app level awareness and whitelisting that is being hyped like a new kind of bread.
As far as Jericho, or DOD, well you know what they say about leading a horse to water...
Posted by: Rob Lewis | October 13, 2009 at 01:44 PM