RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Dana Nowell (DanaNowell_at_cornerstonesoftware.com)
Date: 05/19/04

  • Next message: Gwendolynn ferch Elydyr: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: "Paul D. Robertson" <paul@compuwar.net>, Dana Nowell <DanaNowell@cornerstonesoftware.com>
    Date: Tue, 18 May 2004 20:56:40 -0400
    
    

    At 05:28 PM 5/18/2004 -0400, Paul D. Robertson wrote:
    >
    >They're also unlikely to read Firewall-Wizards, and therefore unlikely to
    >get any of the points made...
    >

    Exactly, so none of this filters down to the average guy.

    >
    >However, one of my original points still stands- if we the security
    >community make common practice to question connectivity _at_all_ then it's
    >more likely that such ideas will filter down to those who are interested.
    >

    Some have been doing it awhile, hasn't worked yet. We can check the
    archives but you've done it, Marcus has, and several others (including me a
    few times). Glaciers move quicker, we need more people and preferably
    people with bigger armorments. If you mean the ENTIRE security community,
    put me in coach. Oh, that's just as soon as we get them to agree as well.

    >[I know a fair number of folks who administer small networks who care
    >about and spend time on security- if "nobody does it" or "nobody gives me
    >a reason to do it" then it doesn't get done, but with peer activity and
    >good rationale, it has a chance of being adopted.]

    Yup, I'm one. Total company staff across all divisions and locations ~35,
    not exactly a huge multinational here. Now that I'm a charter member of
    the club, exactly how much does that increase my clout with vendors and
    customers that have outrageous network requests.

    >
    >I'm going to use a real world example. Two years or so ago, I met a
    >network administrator for a swimming pool company at a conference. They
    >said "I'd like to do more security stuff, but it really doesn't apply, we
    >sell and maintain swimming pools- like $large_name's house,
    >$important_CEO's name's house...."
    >
    >I said "Let me get this straight- you have people driving large trucks
    >full of chlorine with access to $list_of_people's residences, and you
    >don't think you have a good case for security?"
    >
    >Now, does that mean they get to go out, purchase 3 firewalls, 2 AR-15's
    >and a set of frequency hopping bone conductive radios? Nope, but does it
    >mean they can present some useful cases to management that allow them to
    >do *what they really want to do*, which is secure their infrastructure in
    >a sane way? Absolutely.

    Good, exactly what I want. Now instead of you, me, Marcus (inventor of the
    original 'air gap' firewall;), and a half dozen others (OK, a few hundred)
    from the list doing it one on one in a conference bar, how about we target
    several hundred/thousand/million at a clip and make some headway. I just
    need to figure out a way to do it.

    >
    >> network, it is less than useful. I'm willing to bet that the bulk of the
    >> network connections (specifically the more insecure parts of the Internet)
    >> falls into the short term bucket, especially with home use.
    >
    >I'm going to offer a follow-up to "It doesn't have to be our fault to be
    >our responsibility." It doesn't have to be our responsibility for us to
    >try to make it better.
    >
    >> Premise: these networks/hosts will be compromised, as air gaps are unlikely
    >> to be implemented and new technology connected devices will flourish, that
    >> creates a lot of places for bugs to breed.
    >
    >Premise: Every network operator we get to do the right thing[tm] means
    >one less network to produce traffic which attacks us.

    Unfortunately I feel we are creating a hundred networks a day and
    converting ten admins a day, the ship is sinking captain.

    >
    >> Premise: devices are moving toward interconnectivity via Infrared,
    >> Bluetooth, WiFi, 802.11, and other technologies. Direct peer-to-peer
    >> connectivity between these devices is coming and one day 'soon' walking
    >> down the street with one in your pocket will cause tens or hundreds of
    >> connections to be attempted/created/broken, with all the inherent risks.
    >
    >Premise: When this becomes a real risk, we'll get real solutions.

    I fear that soon we will be leaking faster than we can bail. Add in the
    time for answers to filter down to the common folk and it ain't looking
    good. I've been around awhile, so have you if I remember right. I think
    about the industry when I started to now and the level of change is scary.
    Then I think of the level of change (threats) in say the last 5 years, very
    scary. It's going faster and faster, we will need a REALLY big bailing
    bucket in about 10 years.

    >
    >> Premise: security typically lags functionality as new technology rolls out
    >> (palms get synced to desktops before security knows a palm is in the
    >> building in most companies).
    >
    >Premise: New technologies aren't attacked at the same rate as current
    >technologies, and therefore need less protection.
    >

    Counter premise: we are creating them at a faster rate, law of large
    numbers will still soon apply.

    >> Conclusion: Air gaps will not solve the problem as large breeding grounds,
    >> device connectivity, and security lag will allow networks to be
    >> compromised. At best air gaps are another stop gap measure, which is
    >> certainly better than nothing. but not much.
    >
    >Fact: If the network can be attacked via a foreign device, it doesn't have
    >an air gap. That doesn't make air gaps less effective. That's like
    >saying "If I ran Windows in an X86 emulator on my Sparc, it'd be as
    >vulnerable as Windows!" Air gaps are effective protection devices.

    Never intended to argue air gaps aren't effective, intended to argue that
    the definition of air gap changes and that business demands will cause
    bridging (i.e., not effective long term). Consequently it is like every
    other tool in our belt. Theoretically proxies work just fine, if they
    greatly restrict what you can do and validate all the input. They don't
    always work in practice because people don't do that and they always need
    another hole through the wall or another appliction running over HTTP. Air
    gaps will work well, until devices cross the gap because we didn't notice
    (or have a choice). When we notice the device will be ingrained into the
    business process and we will not be able to stop it at the door. Then we
    cobble together something just like always and start searching for the next
    evolution of the tool.

    >
    >I've worked in places where you couldn't take a pager, camera, laptop, or
    >whatever else into the facility. The air gap there was particularly
    >effective.
    >
    >> Whine: The security professionals in the Internet community need to take a
    >> longer view. Until we 'solve' the problem for the average guy playing a
    >> short term game (or at least greatly reduce his risk) we can't really solve
    >> the issue in our own networks, we can only play technology catch-up. We
    >
    >Counter-Whine: You can't dismiss strategic thinking then say we need to
    >take a longer view!

    Not my point, I was claiming the 'strategic thinking' wasn't strategic
    enough (in fact I'm not sure it is strategic, really). Strategic thinking
    that claims people need to understand their critical infrastructure vs.
    their non critical and they need to understand the concept of air gaps
    across technology that doesn't exist yet and enforce all that, only works
    for the best and brightest not the average guy. It also is not truely long
    term strategic thinking, IMO, more like medium term. Why, because it will
    eventually fail, maintaining a true air gap is difficult and requires
    complex planning, not good.

    I want to expand the pool to a broader base, not just critical 'national'
    or 'large company' infrastructure but critical small company
    infrastructure. Why, because those guys become government contractors and
    contractors to large companies. A knowledge based economy can mean a
    critical VPN to a one guy shop to debug a showstopper production problem.
    This is especially true in the financial sector when an overnight delay can
    cost millions. I can assure you that if it is 'bridge the air gap' or be
    out several tens of millions each day, some one WILL walk into your office
    (been there, seen that).

    So does the air gap improve the situation, yes, production problems do not
    occur every day and new technology devices do not sneak in everyday. Is
    the air gap practical, certainly for large corporations, probably for
    medium corporations, only somewhat for smaller corporations, and not
    practical for homes, IMO. Is a device taken home going to find it's way
    onto a production network, you bet.

    I'm not trying to say that air gaps are bad. I DO think the discussion is
    good. In fact any discussion that educates people to improve security is
    worth my time. But I am old enough to remember having similar discussions
    about proxies, so are you.

    >
    >> need to be involved either via this list or another mechanism in helping
    >> set device/protocol 'best practices' and beating vendors about the head
    >> until they do it, so security is designed in rather than cobbled on. We
    >
    >Nobody's willing to pay for security to be designed in, can't in that
    >battle.
    >

    But I want to eat my cake and have it too :-). Seriously, this could be as
    small as banning or walling bad protocols from production systems due to
    published 'best practices'. Tell me this isn't a requirement of 'air gap'
    or better yet, explain your air gap if the production environment requires
    integrated bluetooth or 802.11 protocols :-). Sometimes it helps the small
    guy to have a published 'best practices' document to hit the boss on the
    head with. If enough people do it, the market will respond. If it's me,
    you, and the dozen other list members that are pains in the vendor's butt,
    we'll lose.

    Now the have my cake and eat it part: let's make the 'best practices' list
    bigger. There is a boat load of IQ points and experience here, we ought to
    be able to see if it is practical or if diverse requirements kill it. How
    many people on this list? If we could create a 'best practices' suite
    (small business, home, large corp, critical infrastructure, ...) and say
    30% of the list signs on to pound vendors and bosses about the head with it
    as circumstances permit, wouldn't that broaden the discussion base and
    improve security education and hopefully the state of network security?
    (OK, so I like to dream big)

    >> need to concentrate on how we solve the political/corporate/vendor issue
    >> and not the technical issue because the technical issue isn't soluble (not
    >> that the political issue is, but we might get more bang for the effort
    >> buck). Basically I'm damned tired of fighting the same war and upgrading
    >> from a rock to a knife to a dagger to a sword to a flintlock to a ... So
    >> air gaps are nice, but in the long run, it's just another musket, one that
    >> will be circumvented by targeting devices difficult to air gap (PDAs
    >
    >The original message wasn't about airgapping desktops, it was about
    >airgapping non-user production networks, such as power distribution
    >systems, medical equipment (think the a CAT scanner should be on
    >the same network as the person in the mail room at the hospital?)
    >

    No but at some point the CAT scanner will be on the same network that the
    tech's diagnostic computer is on, and where was that last? Or are you
    saying that every CAT scanner installed will have a dedicated diagnostic
    computer and that media with diagnostic software upgrades will be vetted
    before being allowed to cross the air gap (remember the difficult to
    maintain, complex planning comment)?

    And last I checked some desktops exist in production areas, like monitoring
    systems and operator consoles. I never intended to imply it was the mail
    clerk's desktop. How about we make it the operator's desktop and he wants
    to download a log to take and study. He does it via his new wizbang toy
    that is not on this week's list of 'leave that device at the door before
    you enter' devices. You know, the one he plugged into his home network
    this morning to download some mail to read on break, oops.

    >> syncing to desktop?). Before you ask, no I don't have a plan. Like most
    >> in a small company I spend 95% of my day digging a deeper foxhole and
    >> looking over the latest in flintlock design. We have a lot of bright
    >> people here and we ought to be using those IQ points for the long term
    >> instead of designing today's Mark XII network rock.
    >
    >Just like they're not appropriate for user networks where you can't
    >enforce device additions, they're appropriate for sets of networks in lots
    >of organizations. In my mind, air gaps are more effective than buying and
    >deploying IPS (you want a new flintlock?) for a large number of networks.
    >

    Yes, it is a good tool. So were proxies for the time they lasted and the
    next tools will be even better, I'm sure of it. Face it, air gaps as a
    strategy have been around for a LONG time, Marcus' trademarked wirecutter
    'air gap' firewall (just don't connect it, oh wait ...) and Proxies, 'the
    software air gap', to name a couple. All good tools in their time. But
    each was only the next evolution in tools, education wins over tools every
    time in my opinion, that whole teach a man to fish concept (but then I'm an
    old stubborn pain in the ass). Plus the more educated the boss becomes the
    less hassle we get when we say, "No you are not connecting that to the
    network" to someone. The more educated the vendors become the more
    selection of toys we have. The more educated admins get, the more voices
    in the choir singing to bosses and vendors. (Like I said, dream big)

    If we do not find some effective way of slowing this mess down, the boat
    will be swamped and the bailing bucket WAY too small. Maybe education as a
    long term solution is a dream, maybe not. I can assure you that air gaps
    won't cut it long term, good in theory but bad in practice is my call on
    that. If you are going to think in the strategic space, do it long term,
    tackle the hard problem. We have lots of talent here, is anyone else
    better qualified to attack the problem with a ten or twenty year view?

    >Sure, protocol and vendor issues abound, but so do the basic network
    >design issues that are able to negate large swaths of protocol and vendor
    >issues. We've touched on some of them in this thread, like inter-machine
    >communication, separation, segmentation, per-class networking, etc. One
    >answer isn't going to get us where we want to go any more than one vehicle
    >is going to make everyone happy on the road. What we can do is ensure
    >that mopeds don't go on freeways, skateboards aren't used inside the
    >office and that people pull over for emergency vehicles. We won't get
    >100% compliance, but we'll get navigable roads and we can ticket the
    >offenders. We can also deal with people who're not doing what the rest of
    >us are doing by making them liable for their actions, or ensuring they
    >need to be insured beyond what the rest of us are- either way is
    >effective.
    >

    So let's write this stuff down and use it to educate the masses or at least
    the masters (and those insurance companies and contract departments). Find
    a way to give it to the little guy in the foxhole so he can be enlightened
    and enlighten others. I'm not against air gaps, I'm against magic bullets
    (OK, maybe not education). I'm against being handed a new tool and being
    told either 'trust me it solves the problem' or 'well, it is the best we
    can do'. I'm too old and been around too long to believe the former and
    I'm way too fed up and see way too much future acceleration in problems to
    accept the latter as sufficient.

    We need a better plan. For lack of something better, I always fall back to
    education (although contract liability is good too;). We just need a way
    to avoid glacial pace education, some way to make a dent either in vendors
    that produce trash or admins/consumers that buy/connect trash. I'm not
    sure 'best practices' is it but I'm willing to steal^H^H^H^H^H borrow a
    good idea from anyone on the list. I'm not even sure education is it, I'm
    open to ANY effective LONG TERM strategic plan. But I'm just not excited
    about the new tool, I'll wait for next month's upgrade.

    -- 
    Dana Nowell     Cornerstone Software Inc.
    Voice: 603-595-7480 Fax: 603-882-7313
    email: DanaNowell_at_CornerstoneSoftware.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Gwendolynn ferch Elydyr: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"

    Relevant Pages

    • RE: [fw-wiz] Worms, Air Gaps and Responsibility
      ... so none of this filters down to the average guy. ... >>one less network to produce traffic which attacks us. ... > the definition of air gap changes and that business demands will cause ... He's talking about coast guard systems, cat scanners and the ...
      (Firewall-Wizards)
    • Re: Is Windows Update really necessary?
      ... connected to the internet. ... That one you won't have to worry about as long as it never connects to any ... The air gap trumps all, unless the network interface of choice is ...
      (microsoft.public.windowsxp.general)
    • Re: [Full-disclosure] Who Do I Contact?
      ... this is Doug Pearson from REN-ISAC. ... to improve network security through information collection, analysis, ... Research and Education Networking ISAC ... If there is a security hole in a site of an educational institute ...
      (Full-Disclosure)