Rational Survivability

I’m picking on NAC in the title of this entry because it will drive
Alan Shimel ape-shit and NAC has become the most over-hyped hooplah
next to Britney’s hair shaving/rehab incident…besides, the pundits come a-flockin’ when the NAC blood is in the water…

Speaking of chumming for big fish, love ’em or hate ’em, Gartner’s Hype Cycles do a good job of allowing
one to visualize where and when a specific technology appears, lives
and dies
as a function of time, adoption rate and utility.

We’ve recently seen a lot of activity in the security space that I
would personally describe as natural evolution along the continuum,
but is often instead described by others as market "consolidation" due to
saturation. 

I’m not sure they are the same thing, but really, I don’t care to argue
that point.  It’s boring.  It think that anyone arguing either side is
probably right.  That means that Lindstrom would disagree with both. 

What I do want to do is summarize a couple of points regarding some of
this "evolution" because I use my blog as a virtual jot pad against which
I can measure my own consistency of thought and opinion.  That and the
chicks dig it.

Without my usual PhD Doctoral thesis brevity, here are just a few
network security technologies I reckon are already doomed to succeed as
features and not markets — those technologies that will, within the
next 24 months, be absorbed into other delivery mechanisms that
incorporate multiple technologies into a platform for virtualized
security service layers:

1. Network Admission Control
2. Network Access Control
3. XML Security Gateways
4. Web Application Firewalls
5. NBAD for the purpose of DoS/DDoS
6. Content Security Accelerators
7. Network-based Vulnerability Assessment Toolsets
8. Database Security Gateways
9. Patch Management (Virtual or otherwise)
10. Hypervisor-based virtual NIDS/NIPS tools
11. Single Sign-on
12. Intellectual Property Leakage/Extrusion Prevention

…there are lots more.  Components like gateway AV, FW, VPN, SSL
accelerators, IDS/IPS, etc. are already settling to the bottom of UTM
suites as table stakes.  Many other functions are moving to SaaS
models.  These are just the ones that occurred to me without much
thought.

Now, I’m not suggesting that Uncle Art is right and there will be no
stand-alone security vendors in three years, but I do think some of this
stuff is being absorbed into the bedrock that will form the next 5
years of evolutionary activity.

Of course, some folks will argue that all of the above will just all be
absorbed into the "network" (which means routers and switches.)  Switch
or multi-function device…doesn’t matter.  The "smoosh" is what I’m
after, not what color it is when it happens.

What’d I miss?

/Hoff

(Written from SFO Airport sitting @ Peet’s Coffee.  Drinking a two-shot extra large iced coffee)

I’m traveling to Northern California on Sunday for a week of customer visits and speaking engagements in Walnut Creek, San Jose and San Francisco.  If anyone wants to get together for a bite or some brew, let me know!  Ping me at choff [at] crossbeamsys.com or leave a comment here and we’ll connect.

Many of the people I’d expect to meet up with are actually attending a supah-sekreet security get-together with me, so it would be a great time to coordinate a mash-up because there’s a fantastic group of people just waiting to exercise their expense accounts and bail money stash.

It worked out in reverse well enough for Mogull, so I figured I’d give it a shot. 😉

Thursday and Friday are better days.

/Hoff

It’s not the sordid tale of lust, information security and circus midgets you might have been expecting from the title, but instead the highlights of a couple of evenings spent entertaining a wayward analyst soul from Phoenix.

Rich Mogull, Gartner analyst and data protection mercenary, was in town for a couple of evenings, and I played cruise ship entertainment director.  It’s what I do.  If a fellow blogger or security wonk comes to my town, has a few minutes to spare, it’s my self-appointed duty to make damned sure they have a good time.

I’m all about the full disclosure.  It’s how we roll. 

As Rich so kindly nominated me for "Best Host for Security Geeks in Boston" I must suggest that he plays the role of visiting team quite well.  Damned good head on his shoulders, fun dude to talk with and listen to, and should you ever need saving on the side of a snow-covered mountain, it seems that he’s all you’ll ever need.

We had a great dinner at the Naked Fish (which incidentally has nothing to do with my tattoos,) and then ended up closing that down in favor of the hotel bar in Bedford in which we most certainly were the worst dressed amongst the crowd.  We executed on the wild tech. guy role very well using every free napkin in the house to scribble the solutions to every known security problem currently defined.

I called Shimmy because whilst late, I suggested I could do his podcast drunk with Rich adding beatbox sound effects in the background.  Alan listened to me ramble for 10 minutes before he asked "Who the hell is this!?"

The next night we hit BeanSec! and hooked up with Mike Murray, 78% of Veracode’s employees (except for Wysopal who is now finally too l33t to hang with us) and 46% of Crossbeam’s staff.

I tried for an analyst trifecta:

Jaquith was invited but he was in Utah gettin’ all Mormon’d up.  Rothman was, well, not there because BeanSec! is not pragmatic enough.  Stiennon was busy securing the network fabric of the entire nation state of Haiti and nobody @ IDC would answer my calls.  Ah well.

Despite that, a good time was had by all.

Good seeing you, Rich.  Come back sometime…as soon as you add me to your BlogRoll, that is. 😉

/Hoff

(P.S. Just to be clear, a "Grassy Knee" is one of the specialty drinks at the Enormous Room in Cambridge where we hold BeanSec!  along with the "Bad Babysitter" and "God in Little Pieces."  Any other imaginative definition is your own fault, you perv.  That is all.)

Bloody Hell!

The article below is dated today, but perhaps this was just the TechTarget AutoBlogCronPoster gone awry from 2004? 

Besides the fact that this revelation garners another vote for the RationalSecurity "Captain Obvious" (see right) award, the simple fact that XML gateways as a stand-alone market are being highlighted here is laughable — especially since the article clearly shows the XML Security Gateways are being consolidated and bundled with application delivery controllers and WAF solutions by vendors such as IBM and Cisco.

XML is, and will be everywhere.  SOA/Web Services is only one element in a greater ecosystem impacted by XML.

Of course the functionality provided by XML security gateways are critical to the secure deployment of SOA environments; they should be considered table stakes, just like secure coding…but of course we know how consistently-applied compensating controls are painted onto network and application architectures. 

The dirty little secret is that while they are very useful and ultimately an excellent tool in the arsenal, these solutions are disruptive, difficult to configure and maintain, performance pigs and add complexity to an already complex model.  In many cases, asking a security team to manage this sort of problem introduces more operational risk than it mitigates. 

Can you imagine security, network and developers actually having to talk to one another?!  *gasp*

Here is the link to the entire story.  I’ve snipped pieces out for relevant mockery.

ORLANDO, Fla. — Enterprises are moving forward with service
oriented architecture (SOA) projects to reduce complexity and increase
flexibility between systems and applications, but some security pros
fear they’re being left behind and must scramble to learn new ways to
protect those systems from Web-based attacks.

<snip>

"Most network firewalls aren’t designed to handle the latest
Web services standards, resulting in new avenues of attack for digital
miscreants, said Tim Bond, a senior security engineer at webMethods
Inc. In his presentation at the Infosec World Conference and Expo, Bond
said a growing number of vendors are selling XML security gateways,
appliances that can be plugged into a network and act as an
intermediary, decrypting and encrypting Web services data to determine
the authenticity and lock out attackers.

"It’s not just passing a message through, it’s actually taking
action," Bond said. "It needs to be customized for each deployment, but
it can be very effective in protecting from many attacks."

Bond said that most SOA layouts further expose applications by
placing them just behind an outer layer of defense, rather than placing
them within the inner walls of a company’s security defenses along with
other critical applications and systems. Those applications are
vulnerable, because they’re being exposed to partners, customer
relationship management and supply chain management systems. Attackers
can scan Web services description language (WSDL) — the XML language
used in Web service calls — to find out where vulnerabilities lie,
Bond said.

<snip>

A whole market has grown around protecting WSDL, Bond said.
Canada-based Layer 7 Technologies Inc. and UK-based Vordel are
producing gateway appliances to protect XML and SOAP language in Web
service calls. Reactivity, which was recently acquired by Cisco Systems
Inc. and DataPower, now a division of IBM, also address Web services
security.

Transaction values will be much higher and traditional SSL,
security communications protocol for point-to-point communications,
won’t be enough to protect transactions, Bond said.

<snip>

In addition to SQL-injection attacks, XML is potentially
vulnerable to schema poisoning — a method of attack in which the XML
schema can be manipulated to alter processing information. A
sophisticated attacker can also conduct an XML routing detour,
redirecting sensitive data within the XML path, Bond said.

Security becomes complicated with distributed systems in an
SOA environment, said Dindo Roberts, an application security manager at
New York City-based MetLife Inc. Web services with active interfaces
allow the usage of applications that were previously restricted to
using conventional custom authentication. Security pros need new
methods, such as an XML security gateway to protect those applications,
Roberts said.

<snip>

Yo!  BeanSec! 7 is upon us.

BeanSec! is an informal meetup of information security professionals, researchers
and academics in the Greater Boston area. Unlike other meetings, you
will not be expected to pay dues, “join up”, present a zero-day
exploit, or defend your dissertation to attend.

Map to the Enormous Room in Cambridge. 

Enormous Room: 567 Mass Ave, Cambridge 02139

The CeBIT show produces yet another gem for Das Blog today.   It harkens  references to that  Seinfeld episode regarding the Soup, um, Dictator (don’t want to offend my German friends.)  This time, it’s not about Soup.  It’s about good ol’ atmosphere.

A German company has produced a fire prevention system called OxyReduct that functions by reducing the amount of oxygen in a data center.  When Oxygen content hits a certain level, things don’t burn. 
Sounds simple, eh.  It’s a prevention system because it inhibits combustion, not contain/suppress it like Halon/FM-200/Inergen.

Wagner Alarm and Security Systems claims that they can reduce the percentage of oxygen from the normal 21% to 15% where even cables won’t ignite.  You can read how via the link above.

Interestingly, they suggest that 13-17% oxygen corresponds to a human-tolerable working condition as approved by "unions."  Well, they are Germans…I suppose this is accurate if your definition of "safe" or "tolerable" does not include the need to breathe without gasping.

I just returned from climbing Mt. Meru (~15,000 feet) and Mt. Kilimanjaro (~20,000 feet) and may I suggest that the effects of even mild altitude sickness is unpleasant at the best case and includes projectile vomiting (from multiple orifices) and migraines at the worst.  Luckily, I didn’t suffer from any of these symptoms, but many an Austrian tourist I witnessed was not particularly happy without their Diamox tablets.

There’s not much in the way of "’acclimatization" that a data center employee can go through before a shift in the ol’ NOC, so I’m very interested in hearing from anyone who’s spent anytime in a low oxygen environment trying to administer critical infrastructure.

By the way, the supposed low-oxygen environment didn’t work out too well in this blog entry I titled "Ode to a Suppressant."

/Hoff

I got an email reminder from my buddy Grant Bourzikas today pointing me to another virtualized security solution for servers from Reflex Security called Reflex VSA.  VSA stands for Virtual Security Appliance and the premise appears to be that you deploy this software within each guest VM and it provides what looks a lot like host-based intrusion prevention functionality per VM.

The functionality is defined thusly:

Reflex VSA solves the problem that traditional network security such as
IPS and firewall appliances currently can not solve: detecting and preventing attacks within a virtual server. Because Reflex VSA runs as virtualized
application inside the virtualized environment, it can detect and mitigate
        threats between virtual hosts and networks.

Reflex VSA Features:
        • Access firewall for permission enforcement for intra-host and external network
           communication
        • Intrusion Prevention with inline blocking and filtering for virtualized networks
        • Anomaly, signature, and rate-based threat detection capability
       
        • Network Discovery to discover and map all virtual machines and applications
        • Reflex Command Center, providing a centralized configuration and management
           console, comprehensive reporting tools, and real-time event aggregation and
           correlation   

It does not appear to wrap around or plug-in to the HyperVisor natively, so I’m a little confused as to the difference between deploying VSA and whatever HIPS/NIPS agent a customer might already have deployed on "physical" server instantiations.

Blue Lane’s product addresses this at the HyperVisor layer and it would be interesting to me to have the pundits/experts argue the pros/cons of each approach. {Ed. This is incorrect.  Blue Lane’s product runs as a VM/virtual appliance also.  With the exposure via API of the hypervisor/virtual switches, products like Blue Lane and Reflex would take advantage to be more flexible, effective and higher performing.}

I’m surprised most of the other "security configuration management" folks haven’t already re-branded their agents as being "Virtualization Compliant" to attack this nascent marketspace. < :rolleyes here: >

It’s good to see that folks are at least owning up to the fact that intra-VM communications via virtual switches are going to drive a spin on risk models, detection and mitigation tools and techniques.  This is what I was getting at in this blog entry here.

I would enjoy speaking to someone from Reflex to understand their positioning and differentiation better, but isn’t this just HIPS per VM?  How’s that different than firewall, AV, etc. per VM?

/Hoff

Infoworld ran an interesting article on John Thompson’s recent CeBIT keynote in which he took a shot at Microsoft by suggesting that there is an inherently "…huge conflict of interest for one company to provide both an operating platform and a security platform."

I suppose that opinion depends upon whether or not said company suggests that their security controls are all that are needed to secure said operating system or that defense in depth is not needed.

Here’s why I find this statement interesting and I am going to twist it by agreeing with the statement within the context of the same argument pertaining to Cisco as an extension to the many, many articles I have already written on this topic.

Given just the last rash of vulnerabilities in Cisco’s routing, switching and security products a few weeks ago, I believe it’s also a mistake (you can read "conflict of interest" if you desire) for Cisco (le fox) to protect the network (le chicken.)  That’s the same argument of the "operating system" and the "security platform."

I think it’s simply not relevant or appropriate to simply shrug off issues like this just because of Cisco’s size and the apparent manifest destiny associated with security "going into the switch" — just because it does and more than likely will — does not mean it should and does not mean that people will settle for "good enough" security when the network consistently fails to self-defend.

I don’t disagree that more and more security *will* make it’s way into the network switches, much like I don’t disagree that the sun will rise in the east and set in the west, but much in the same way that folks don’t just give up and go to sleep once the sun goes down, the lightbulb that goes on in my head suggests there is a better way.

/Hoff

Greg Ness from Blue Lane and I have known each other for a while now, and ever since I purchased Blue Lane’s first release of products a few years ago (when I was on the "other" side as a *gasp* customer) I have admired and have taken some blog-derived punishment for my position on Blue Lane’s technology.

I have zero interest in Blue Lane other than the fact that I dig their technology and products and think it solves some serious business problems elegantly and efficiently with a security efficacy that is worth its weight in gold.

Vulnerability shielding (or patch emulation…) is a provocative subject and I’ve gone ’round and ’round with many a fine folk online wherein the debate normally dissolves into the intricacies of IPS vs. vulnerability shielding versus the fact that the solutions solve a business problem in a unique way that works and is cost effective.

That’s what a security product SHOULD do.  Yet I digress.

So, back to Greg @ Blue Lane…he let me know a few weeks ago about Blue Lane’s VirtualShield offering for  VMWare environments.  VirtualShield is the first commercial product that I know of that specifically tackles problems that everyone knows exists in VM environments but have, until now, sat around twirling thumbs at.

In fact, I alluded to some of these issues in this blog entry regarding the perceived "dangers" of virtualization a few weeks ago.

In short, VirtualShield is designed to protect guest VM’s running under a VMWare ESX environment in the following manner (and I quote):

• Protects virtualized servers regardless of physical location or patch-level;
  
• Provides up-to-date protection with no configuration changes and no agent installation on each virtual machine;
  
• Eliminates remote threats without blocking legitimate application requests or requiring server reboots; and
  
• Delivers appropriate protection for specific applications without requiring any manual tuning.

VS basically sits on top of the HyperVisor and performs a similar set of functionality as the PatchPoint solution does for non-VM systems.

Specifically, VirtualShield discovers the virtual servers running on a server and profiles the VM’s, the application(s), ports and protocols utilized to build and provision the specific OS and application protections (vulnerability shielding) required to protect the VM.

I think the next section is really the key element of VirtualShield:

As traffic flows through VirtualShield inside the
hypervisor, individual sessions are decoded and monitored for
vulnerable conditions. When necessary, VirtualShield can replicate the
function of a software security patch by applying a corrective action
directly within the network stream, protecting the downstream virtual
server.

As new security patches are released by software
application vendors, VirtualShield automatically downloads the
appropriate inline patches from Blue Lane. Updates may be applied
dynamically without requiring any reboots or reconfigurations of the
virtual servers, the hypervisor, or VirtualShield.

While one might suggest that vulnerability shielding is not new and in some cases certain functionality can be parlayed by firewalls, IPS, AV, etc., I maintain that the manner and model in which Blue Lane elegantly executes this compensating control is unique and effective.

If you’re running a virtualized server environment under VMWare’s ESX architecture, check out VirtualShield…right after you listen to the virtualization podcast with yours truly from RSA.

/Hoff

Just so you don’t think that I personally dislike Richard Stiennon, allow me to clear that up. 

I like Richard very much.  In fact, I like him a lot more today as I was cleaning up my office and came across these little gems (picture below) which was part of a Christmas (?) gift Richard sent when he was bringing up IT-Harvest (his independent analyst and IT/Security compendium business) and we were a customer…

So not only is Richard useful, witty, smart and (*cough*) handsome, his choice of wine (a Bordeaux) works a lot better than the Scotch he referred to earlier.

Thanks, Richard!

/Hoff