Security Ripcord

Quit Complicating Our Controls

December 1st, 2007 cutaway Posted in Data, Firewalls, IDS, Management, Security | 729 views

After reading LonerVamp’s take on the application aware firewall, I started to wonder why people constantly want to consolidate their controls. This is not a new debate and DarkReading’s article Firewalls Ready for Evolutionary Shift is not ground breaking as the integration of firewalls and other security technologies has been bouncing around for years. Indeed, here we see Marcus J. Ranum talking about it on “Date: Fri, 29 Mar 2002 12:00:29 -0500″:

I suspect you are referring to “intrusion prevention” - which is a hot new marketing term but basically everything that’s being billed
as “intrusion prevention” is just firewalling + antivirus with a bit of fresh paint on it.

I’m willing to bet he has changed his tune a little bit since then but the evolution of firewalls with additional integrated controls has been going on since 2002 at least.

Of course I can see why people desire to integrate the technologies.

  • It is more cost effective to have two or more technologies on one piece of hardware.
  • You only have to manage one box.
  • The controls can augment each other more effectively and efficiently (according to the advertising on the box).
  • Firewalls usually represent a choke point to external and potentially hostile environments.
  • Vendors can market it as the Silver Bullet (no relation to Gary McGraw’s podcast) of controls.
  • “The next-generation firewall will have greater blocking and visibility into types of protocols,” says Greg Young, research vice president for Gartner.
  • etc

Well, I have a problem with all of this. Why are we making our controls more complex? Complexity leads to vulnerabilities. Vulnerabilities lead to exploits. Exploits lead to compromises. Compromises lead to loss.

Certainly, everything has vulnerabilities. But that is my problem with placing multiple controls on one system. Fine, if my firewall has a vulnerability then it can be bypassed and my organization is screwed until we can respond. But I would prefer that my firewall was not bypassed because of a vulnerability in another control like a protocol analyzer or an intrusion detection system. Oh wait, these will be newer technologies with better software development practices so there should not be any additional vulnerabilities that allow for exploitation of the system or bypass of the controls……RIGHT!!!!

Don’t get me wrong. I am all for developing new technologies that will allow organizations to analyze their traffic so that they get a better picture of what is traversing and exiting their networks. I just think they will be more effective if they are deployed so that they augment each other’s control measures instead of threatening them by increasing the risk through complexity. Controls should reduce risk, not increase it.

So, when considering how to protect your data please do not cut corners. Evaluate your data distribution and dissemination, consider your architecture, determine which controls will increase efficiency while increasing security, and then deploy those controls so that they augment each other effectively.

Go forth and do good things,
Cutaway

Technorati Tags , , , , , ,
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “Quit Complicating Our Controls”

  1. Bill Wardell Says:
    December 2nd, 2007 at 1:46 am

    How do we stop this, couldn’t a tool be made to like a special router that could be used to stop all this nonsense, in and out of our systems…

    Thanks,

    Bill

  2. cutaway Says:
    December 2nd, 2007 at 4:43 pm

    Bill,

    I’m not sure you get the point I am trying to convey. This might be because my poor use of a quote (yes, I did notice), you guerrilla marketing your site (yes, I did notice), or just straight up miscommunication.

    Basically, what I am trying to say, is that we need to get away from trying to lump everything onto one box. At times it does make sense because of cost, either monetarily or in man-hours. But people need to remember that the added complexity in these devices may increase the risks the controls are trying to address.

    I hope that helps.

    Go forth and do good things,
    Don C. Weber

  3. Andy Willingham Says:
    December 3rd, 2007 at 12:54 pm

    Cutaway, Good post my friend. We need to encourage each other not to just accept something b/c it is the latest technology and/or the best practice. I’m also not a bit fan of UTM for the same reason that you list here. If one piece gets compromised then you are in bigger danger of having everything bypassed. Not only that but the single point of failure is an issue. It’s one thing if you lose an IPS b/c the power supply goes out. It’s another if that IPS is also attached to your firewall, email scanner, etc… Now you are totally down. :(

  4. Tarek Says:
    December 8th, 2007 at 5:16 pm

    In fact, firewall were made to protect the different network segments or zones from each other by controlling who is supposed to talk to who using which protocol or application.

    But later one, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. On the other hand Proxy Firewalls such as MS ISA - I know it’s a piece of crap - but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO and SMB networks. And I think this is when UTM came to life. Vendors also competed with each other and each vendor wanted to have more features in his data-sheet, and I think were are going to see vendors announcing that their firewalls are the first to market with built in Coffee Makers.

    I can agree with what you wrote here sometimes. For an ISP’s Data Centre or a Large Multinational Company this can be true. Having an all in one box is not the best choice. But when it comes to normal mid-range enterprises they can have a UTM, and in such case having two layers of clustered UTM’s from different vendors can protect them when complexity lead to a vulnerability in one box.

  5. Security Ripcord » Blog Archive » Quit Complicating Our Controls - UTM Remix Says:
    December 10th, 2007 at 12:55 pm

    [...] Comments Tarek on Quit Complicating Our ControlsRon W on Ron Woerner - an Email InterviewAndy Willingham on Quit Complicating Our Controlscutaway on [...]

  6. Blog of Blogs » Blog Archive » Christopher Hoff Ponders Consolidation vs. Piling it On Says:
    December 11th, 2007 at 11:33 pm

    [...] Weber wrote a post last week describing his thoughts on the consolidation of [security] controls and followed it up [...]

  7. Security Ripcord » Blog Archive » The Perimeter is DEAD - Let’s Make It More Complex Says:
    December 12th, 2007 at 5:52 am

    [...] Quit Complicating Our Controls [...]

Leave a Reply

« SCC Formulates a DHS IT Security EBK Response
Quit Complicating Our Controls - UTM Remix »