Security Ripcord

I have to concede to Chris on several points of his latest post. I do so because:

1. He definitely has more experience, than I, deploying a variety controls in a variety of environments of varying size.
2. He definitely has more experience, than I, speaking to the capabilities of these controls and providing comprehensive and understandable analogies and examples.
3. He definitely has more time, than I, to correlate and integrate, free and expensive, disparate and concise literature and case studies to fuel his analogies and examples and employ them in a variety of circumstances.

After all, it is what he does for a living. And he is very good at it. That is why he is listed in my blogroll and the majority of the blogroll’s associated with my daily information security firehose. Hell, it is why he can list articles in many hard and soft copy information security publications.

Me, on the other hand, I am a security professional wielding my experiences and knowledge to the best of my ability to provide my employers and customers with the same level of service Chris provides despite my limitations due to time in service. I use my experiences with technology, interactions, and introspection to form my conclusions and present them as the very best solution for the situation. I will personally guarantee the deployment of every one of my recommendations and the provide mitigation suggestions when it is, as we know it will be, circumvented, exploited, outdated, outclassed, obsolesced, ineffective, unmanageable, flappable, overly expensive, or just plain wrong. In other words, I am confident and I am willing to make mistakes because I can fix them and the majority of the time I will not make them again.

I truly think that this whole blogging interaction started because of my attempt to be flamboyant about the topic to draw attention to it. Unfortunately, as most gussied up topics do, the central point of the discussion was lost for a while. Luckily, in his last post, Chris brought it back around. Let me try to talk about my point in very plain English.

I have a problem with vendors who are developing products that provide many security controls on one system (not UTMs, I’m talking firewalls performing a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell) and selling it as the ultimate solution for the perimeter of a company’s infrastructure. I have a problem with these solutions because the technologies they are combining on one system are not simple applications. They are robust technologies with a lot of complexity and I am afraid that the vendors will not take the interoperability of these technologies into considerations before they push them to market. I would much rather recommend to my employers and customers that we limit the utilization of such technologies to select portions of the internal network where they can provide the most value with the least concern. I feel much better placing tried and true simple, relatively speaking, controls at the locations associated with high risk. I don’t have full proof examples. I don’t have case studies to back up my hypothesis. I have my feelings and opinions. And, actually, since I am not dealing with Fortune 500 CEOs, CTOs, CISOs, and patent producing PHD weilding end users, I don’t really need it. In the realm of the small, limited budget, network, my feelings and opinions have been, to this point, sufficient.

Next, I don’t think I have a problem with purchasing a UTM to provide a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell because I believe that UTM developers have taken the complex nature of these technologies into consideration. I was hoping that somebody I know would respond by telling my, and their, readers whether or not UTM solutions are better than the “all-in-one” firewall solution advertised in the DarkReading article, and why. If I had to guess, because of my aforementioned lack of UTM experience, I would think that UTMs separate the responsibilities in much the same manner as role-based control.

Can anybody answer this question for me? It is all I really wanted out of the whole conversation.

So, Chris, I lay my King down so that we may reset the board and start the next conversation fresh. I think you are correct when you say that I need to provide more clarifying evidence during my conversations. I will take it to heart as much as I can in my day to day security related duties. I’ll even attempt to do so in my blogging. But, as my blog is more for personal edification, education, and venting I have a feeling that a few misguided and ill-informed opinions will slip in from time to time.

Go forth and do good things,

Don C. Weber

UTM, security, complexity, Security Ripcord, Chris Hoff

I had a good comment from Tarek on the original Quit Complicating Our Controls post.

In fact, firewall were made to protect the different network segments or zones from each other by controlling who is supposed to talk to who using which protocol or application.

But later one, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. On the other hand Proxy Firewalls such as MS ISA – I know it’s a piece of crap – but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO and SMB networks. And I think this is when UTM came to life. Vendors also competed with each other and each vendor wanted to have more features in his data-sheet, and I think were are going to see vendors announcing that their firewalls are the first to market with built in Coffee Makers.

I can agree with what you wrote here sometimes. For an ISP’s Data Centre or a Large Multinational Company this can be true. Having an all in one box is not the best choice. But when it comes to normal mid-range enterprises they can have a UTM, and in such case having two layers of clustered UTM’s from different vendors can protect them when complexity lead to a vulnerability in one box.

I wanted to cover this because UTM is actually a different animal then what I was originally addressing. Although I do not have any experience with Unified Threat Management, as a blogger I don’t feel ashamed jumping into it. I am sure that Chris Hoff, Rich Mogull, Lori MacVittie, Andy Willingham, or Alan Shimel will correct me if I am misguided.

Application firewalls have their own unique places. True, they definitely should not be lumped onto the controls you are using to separate your environments. But, the applications firewalls serve a purpose of, to use the terms loosely, deep-packet inspection and correlation directly associated with that specific application. These controls should be deployed directly in front of the application or application farm so that it can provide the most protection.

Now, as I mentioned UTMs are a different animal. They are taking the controls we are talking about separating and, although placing them on one device, keeping them separate. I imagine that when deployed correctly no one component of the system has the administrative access to the complete system. UTMs should be deployed so that while working the controls in parallel they are also passing the information off to controls that operate within their role with lesser privileges than the central system. So, technically, in the spirit of my original arguement, UTMs are acting correctly. Although we do get back to the whole, single point of failure issue, but that can be addressed by high availability.

Tarek, I think the real trap you are falling into is expanding the cost of your security controls by recommending separate UTMs within the same environment. Now, I do agree that having two would help reduce some risk, but not enough to offset the cost of the system, its installation, the training of employees, documentation of configuration, and many other things involved with deploying a solution. I image that deploying a UTM is in and of itself a very complicate task and organizations will have their hands full implementing one. Adding a second would just be cruel. Actually, by making this recommendation, you may be burning your bridges with your management. Remember, your management is going to be evaluating risk to reward and cost as well. If you are making recommendations that SIGNIFICANTLY increase cost and complexity without reducing risk SIGNIFICANTLY, you are running the risk of your management labeling your security group as a liability rather than an asset. Although this may not be true to your organization, I would think twice before making the dual UTM recommendation.

Go forth and do good things,
Don C. Weber

UTM, firewalls, Tarek, Security Ripcord, application firewalls