The British Are Coming! In Defense (Again) of the Jericho Forum…
The English are coming…and you need to give them a break. I have.
Back in 2006, after numerous frustrating discussions dating back almost three years without a convincing conclusion, I was quoted in an SC Magazine article titled "World Without Frontiers" which debated quite harshly the Jericho Forum’s evangelism of a security mindset and architecture dubbed as "de-perimeterization."
Here’s part of what I said:
Some people dismiss Jericho as trying to re-invent the wheel. "While
the group does an admirable job raising awareness, there is nothing
particularly new either in what it suggests or even how it suggests we
get there," says Chris Hoff, chief security strategist at Crossbeam
Systems."There is a need for some additional technology and
process re-tooling, some of which is here already – in fact, we now
have an incredibly robust palette of resources to use. But why do we
need such a long word for something we already know? You can dress
something up as pretty as you like, but in my world that’s not called
‘deperimeterisation’, it’s called a common sense application of
rational risk management aligned to the needs of the business."Hoff
insists the Forum’s vision is outmoded. "Its definition speaks to what
amounts to a very technically focused set of IT security practices,
rather than data survivability. What we should come to terms with is
that confidentiality, integrity and availability will be compromised.
It’s not a case of if, it’s a case of when.The focus should
be less on IT security and more on information survivability; a
pervasive enterprise-wide risk management strategy and not a
narrowly-focused excuse for more complex end-point products," he says.But is Jericho just offering insight into the obvious? "Of course,"
says Hoff. "Its suggestion that "deperimeterisation" is somehow a new
answer to a set of really diverse, complex and long-standing IT
security issues… simply ignores the present and blames the past," he
says."We don’t need to radically deconstruct the solutions
universe to arrive at a more secure future. We just need to learn how
to appropriately measure risk and quantify how and why we deploy
technology to manage it. I admire Jericho’s effort, and identify with
the need. But the problem needs to be solved, not renamed."
I have stated previously that this was an unfortunate reaction to the marketing of the message and not the message itself, and I’ve come to understand what the Jericho Forum’s mission and its messaging actually represents. It’s a shame that it took me that long and that others continue to miss the point.
Today Mike Rothman commented about NetworkWorld’s coverage of the latest Jericho Forum in New York last week. The byline of the article suggested that "U.S. network execs clinging to firewalls" and it seems we’re right back on the Hamster Wheel of Pain, perpetuating a cruel myth.
After all this time, it appears that the Jericho Forum is apparently still suffering from a failure to communicate — there exists a language gap — probably due to that allergic issue we had once to an English King and his wacky ideas relating to the governance of our "little island." Shame, that.
This is one problem that this transplanted Kiwi-American (same Queen after-all) is motivated to fix.
Unfortunately, the Jericho Forum’s message has become polluted and marginalized thanks to a perpetuated imprecise suggestion that the Forum recommends that folks simply turn off their firewalls and IPS’s and plug their systems directly into the Internet, as-is.
That’s simply not the case, and in fact the Forum has recognized some of this messaging mess, and both softened and clarified the definition by way of the issuance of their "10 Commandments."
You can call it what you like: de-perimeterization, re-perimeterization or radical externalization, but here’s what the Jericho Forum actually advocates, which you can read about here:
De-perimeterization explained
The huge explosion in business use of the Web protocols means that:
- today the traditional "firewalled" approach to securing a network boundary is at best flawed, and at worst ineffective. Examples include:
- business demands that tunnel through perimeters or bypass them altogether
- IT products that cross the boundary, encapsulating their protocols within Web protocols
- security exploits that use e-mail and Web to get through the perimeter.
- to respond to future business needs, the break-down of the traditional
distinctions between “your” network and “ours” is inevitable- increasingly, information will flow between business organizations over
shared and third-party networks, so that ultimately the only reliable
security strategy is to protect the information itself, rather than the
network and the rest of the IT infrastructureThis
trend is what we call “de-perimeterization”. It has been developing for
several years now. We believe it must be central to all IT security
strategies today.The de-perimeterization solution
While
traditional security solutions like network boundary technology will
continue to have their roles, we must respond to their limitations. In
a fully de-perimeterized network, every component will be independently
secure, requiring systems and data protection on multiple levels, using
a mixture of
- encryption
- inherently-secure computer protocols
- inherently-secure computer systems
- data-level authentication
The design principles that guide the development of such technology solutions are what we call our “Commandments”, which capture the essential requirements for IT security in a de-perimeterized world.
I was discussing these exact points today in a session at an Institute for Applied Network Security conference today (and as I have before here) wherein I summarized this as the capability to:
Take a host with a secured OS, connect it into any network using whatever means you find appropriate,
without regard for having to think about whether you’re on the "inside"
or "outside." Communicate securely, access and exchange data in
policy-defined "zones of trust" using open, secure, authenticated and
encrypted protocols.
Did you know that one of the largest eCommerce sites on the planet doesn’t even bother with firewalls in front of its webservers!? Why? Because with 10+ Gb/s of incoming HTTP and HTTP/S connections using port 80 and 443 specifically, what would a firewall add that a set of ACLs that only allows port 80/443 through to the webservers cannot?
Nothing. Could a WAF add value? Perhaps. But until then, this is a clear example of a U.S. company that gets the utility of not adding security in terms of a firewall just because that’s the way it’s always been done.
From the NetworkWorld article, this is a clear example of the following:
The forum’s view of firewalls is that they no longer meet the needs of businesses that increasingly need to let in traffic
to do business. Its deperimeterization thrust calls for using secure applications and firewall protections closer to user devices and servers.
It’s not about tossing away prior investment or abandoning one’s core beliefs, it’s about about being honest as to the status of information security/protection/assurance, and adapting appropriately.
Your perimeter *is* full of holes so what we need to do is fix the problems, not the symptoms.
That is the message.
So consider me the self-appointed U.S. Ambassador to our friends across the pond. The Jericho Forum’s message is worth considering and deserves your attention.
/Hoff
Okay, maybe I'm missing something again (it's been known to happen). What's the difference between "de-perimeterisation" (to spell it the way our Jericho Forum friends would 😉 and "defence in depth" (ditto)?
Everyone knows you don't rely entirely on the firewall. You do still need it, because there are plenty of things it's still good at stopping. And if you're really paranoid, you don't trust anything else on your own network unless you absolutely have to. So why is this a new concept??
I-am-only-an-egg.
I think their biggest issue is clinging so vehemently to a term that is easily mistaken and easily run with to wild conclusions. They need to just friggen ditch that term.
Once you remove that term, they still offer nothing new. Your example above about firewall or ACL has nothing to do with function and everything to do with semantics. Call it an ACL or a firewall, it's still a choke point and it can still be called a perimeter. Perhaps Jericho would espouse the use of IPS/IDS/WAF on the web servers to protect against malicious code, but what about a firewall that itself does that inspection and just moves it into a common point which just happens to resemble a perimeter?
And yup, the rest is defense in depth.
In the end, I just don't see what the big deal is about what they speak about. It's like taking an emotionally charged word, slapping it onto your very common belief, and creating drama where really there isn't any. And all to what point…? Perhaps thinking a little deeper about what truly gives value towards security…
Honestly, I feel that even with what they want (encryption, inherently secure…), that stuff doesn't mean no perimeter is necessary any more than you don't have to lock your gym locker at a members-only gym…or need guards in a corporate campus. Or trust in a global economy.
I don't know whether to love you for this, or to castigate you for confusing English with British. I guess I should give you the benefit of the doubt, being foreign and everything. I've told you off about your use of language enough recently. 🙂
In all seriousness, The Jericho Forum had it right years ago. I visited Andrew Yeomans at DKW (now DKIB, having previously been DKB) 4 years ago just as he was taking up his post on the management board of the Forum and he was the one who turned me on to a) hating firewalls, and b) loving data security.
I spoke to him again at InfoSec this year and told him this, and he very modestly made it completely clear that he had no idea who I was. In Spain I was a giant amongst men, in my own country I am background noise.
Marvellous.
In reply to shrdlu and LV, the idea isn't to re-invent the wheel, but you could be seen to be arguing a different side of the same coin. Yes, it's JUST defence in depth, but how many people really understand that? The Jericho Forum have been around for many years pushing this idea, bringing down the outer walls so that businesses can exchange information more readily. Microsoft have only just picked up on it, releasing their SISA framework for security information sharing, essentially the same thing again, but from yet another angle – the security is added in layers on top of the business function. It's all the same thing, and it doesn't matter how many different names it has, or who's right or wrong, just that it's being done.
So yes, the term sucks…that much we have established.
But to the most interesting point of your comment, which I
think answers your question and goes to the heart of the matter. The current definition of defense-in-depth is taken
within the context of the requirement to add layer after layer
of defenses BECAUSE the underlying OS, transport and protocols
are inherently insecure.
If you have a secure "core," why does one need all these layers? If you had a secure OS and secure applications with
mutual authentication and encryption, you wouldn't need a
"firewall" (to address the nitpick re: the firewall above.)
So we've already agreed that the notion of de-perimeterization is inappropriate, which is why the notion of re-perimeterization has surfaced. I maintain that "THE" perimeter is indeed going away, but "the" perimeter is not going away, it's multiplying, but the diameter is collapsing.
What I mean is that instead of just "THE" perimeter of inside versus outside, we have micro-perimeters — sometimes down to boundaries demarcated by VLANs, others by hosts and some by the very data we seek to protect.
So the bottom line? "THE" perimeter is just a giant colander that filters out the big chunks. For the most part, you don't
need a firewall for that anymore. They don't add much value.
Move on past the terms and it will become clear.
/Hoff
(P.S. As far as I know/care/am aware of:
English = British = Almost Canadian = Civilized Australians
HA!)
BY JOVE! I think he's got it !
Rex Harrison quotes aside, you are exactly right Chris that defense-in-depth is bolt on security due to inherent design flaws at the core. Attempts to secure the core with cumbersome and problematic TOS/MLS implementations mostly failed.
Your explanation of the evolving perimeter is interesting, and I see all of it possible with Trustifier.
For anyone who is not aware, Trustifier is a drop-in kernel module that is a fine-grain, highly modular, audit and control enforcer that provides rule-based access control, role-based access control, domain separation, MAC/MLS and several other security layers in a heterogeneous, networked environment delivering its functions at the TCB kernel level.
In other words, you can create trusted zones that can exist in tandem within a discretionary access control (DAC) infrastructure, where the crown jewels of enterprise data can be kept with greater internal controls.
However, there are a couple of other differences that impact on the realization of de-perimeterization and the role of the firewall.
The firewall in our model "talks" to the trusted server and the client agents to act as an additional layer to prevent data leakage. Since Trustifier decides who and where data can be released to, the firewall can act as a second layer of defense when authorized users deliberately or inadvertantly attempt to send sensitive data out of the enterprise.
Trustifier allows straight forward and intuitive, enforceable rules, such as "if Chris opens a doc> sensitivity level 5, then deny use of network card (or any devices such as USB bus). In this case, the firewall is a second line of defense in preventing leakage.
If you do not have end-to-end trusted zones, (something like a perimeter-matrix or perimeter-mesh), the firewall will have to be retained to protect the DAC part of the infrastructure anyway.
The other thing I wished to point out is that that rule example used your user name. Trustifier rules-specification is owner-centric (user, group, roles) rather than object centric. The rationale behind this is it is easier to specify security in terms of users, groups, or roles rather than in terms of objects owned by them. Example: "Disallow network sockets to Chris" vs. "for each executable object in the system that utilizes network sockets create ACL for Chris and clear its execution bit for Chris".
With this ability, business data flow, data access rules etc can be intuitively understood by even non-technical managers. Would this not be a boon to achieving the ultimate goals of said de-perimeterization without the complexity layers of DLP/CFP?
Now repeat after me:
The flame from Spain,
Is now sputtering in a cold damp English plain.
Sorry Rob 🙂 Couldn't resist.
Oops.Typo in last word-should say CMP.
I like it. This is what is going to have to happen. Company workforces are only going to become more decentralized, division of labor will become more defined, and data will be flying all over the place, just like it does now. The perimeter paradigm exists because companies use to be in a building. They are now a collection of worker nodes and partner firms all over the world. We need a new paradigm. Sounds like Jericho is pushing for this.
The bottom line for this for me is twofold.
1) The term is unfortunate. They absolutely need to change this. I think Mogull called it "the message." (This all sounds way too cultish!)
2) That's great that we have a lofty goal about trusting everything and inherently secure technology. Great, something to look forward to. But I feel it is an idealistic goal whose attainability is arguable. It's perfection and I'm not sure any significant number of organizations/businesses that live in our reality can achieve this.
We can achieve steps in this, we can get a few steps closer to fine, we can maintain this goal in our mission statements, but I just don't get all that excited about it.
I'm still having difficulty understanding this framework. Above you stated, "…perpetuated imprecise suggestion that the Forum recommends that folks simply turn off their firewalls and IPS's and plug their systems directly into the Internet, as-is." That itself is pretty extreme, and I'll buy that they didn't intend that.
But wait. The Jericho Forum explains, "In a fully de-perimeterized network, every component will be independently secure."
And the 5th commandment states, "All devices must be capable of maintaining their security policy on an untrusted network," and, "Any implementation must be capable of surviving on the raw Internet, e.g., will not break on any input."
Besides the "holy-crap-make-things-perfect-from-the-start" reaction, how does this not imply throwing away firewalls and plugging systems directly into the Internet? I think you interpret what they intend, but that's not what they say in the words, and that's going to be a problem until the words are fixed. Of course, the strength of the framework diminishes when you can't make such strong points…
Then again, that goes back to their 3rd commandment about assuming context at your own peril. Ugh…I guess I shouldn't assume context about this framework?
I'm not anti-Jericho, I just don't see the Big Deal, I see nothing new in it, and I think their wording is flawed. Perhaps I will examine it some more…