The DMZ Isn’t Dead…It’s Merely Catatonic
Joel Espenschied over at Computerworld wrote a topical today titled "The DMZ’s not dead…whatever the vendors are telling you." Joel basically suggests that due to poorly written software, complex technology such as Web Services and SOA and poor operational models, that the DMZ provides the requisite layers of defense in depth to provide the security we need.
I’m not so sure I’d suggest that DMZ’s provide "defense in depth." I’d suggest they provide segmentation and isolation, but if you look at most DMZ deployments they represent the typical Octopus approach to security; a bunch of single segments isolated by one (or a cluster) or firewalls. It’s the crap surrounding these segments that is appropriately tagged with the DiD moniker.
A DMZ is an abstracted representation of a security architecture, while I argue that defense in depth is an control implementation strategy…and one I think needs to be dealt with as honestly by security/network teams as it is by Enterprise Architects. My simple truth is that there are now hundreds if not thousands of "micro-perimeterized single host" DMZ’s in most enterprise networks today and we lean on defense in depth as a crutch and a bad habit because we’re treating the symptom and not the problem — and it’s the only thing that most people know.
By the way, defense in depth doesn’t mean 15 network security boxes piled on top of one another. Defense in depth really spoke to this model which entailed a holistic view of the "stack" — but in a coordinated manner. You must focus on data, applications, host and networking as equal and objective recipients of investment in a protection strategy, not just one.
Too idealistic? Waiting for me to run out of air holding my breath for secure applications, operating systems and protocols? Good. We’ll see who plays chicken first.
You keep designing for obsolescence and the way things were 10 years ago while I look at what the business needs and where its priorities are and how best to balance risk with sharing information. We’ll see who’s better prepared in the next three year refresh cycle to tackle the problems that arise as the business continues to embrace disruptive technology while you become the former by focusing on the latter.
There’s a real difference between managing threats and vulnerabilities versus managing risk. Back to the article.
Two quotes stand out in the bunch, and I’ll focus on them:
The philosophy of Defense in Depth is based on the idea that stuff
invariably fails or is cracked, and it ought to take more than one
breach event before control is lost over data or processes. But with
this "dead DMZ" talk, the industry seems to be inching away from that
idea — and toward potential trouble.
Right. I see how effective that’s been with all the breaches thus far. Please demonstrate how defense in depth has protected us against XSS, CSRF, SQL Injection and fuzzing so far? How about basic wireless security issues? How about data leakage? Your precious design anachronism isn’t looking so good at this point. You spend hundreds of thousands of dollars and are still completely vulnerable.
That’s because your defense in depth is really defense in breadth and it’s being applied to the wrong sets of problems. Where’s the security value in that?
The talking heads may say the DMZ is dead, but those actually managing
enterprise IT installations shouldn’t give it up so easily. Until no
mistakes are made in application coding, placement, operations and
other processes — and you know better than to hold your breath —
layered network security controls still provide a significant barrier
to loss of data or other breach. The advice regarding application
configuration and optimization is useful and developers’ efforts to
make that work are encouraging, but when it comes to the real-world
network, organizations can’t just ignore the reality of undiscovered
vulnerabilities and older systems still lurking in the corners.
Look, the reality is that "THE DMZ" is dead, but it doesn’t mean "the DMZ" is…it simply means you have to reassess and redefine both your description and expectation of what a DMZ and defense in depth really mean to your security posture given today’s attack surfaces.
Keep your firewalled DMZ Octopi for now, but realize that with the convergence of technologies such as virtualization, mobility, Mashups, SaaS, etc., the reality is that a process or data could show up running somewhere other than where you thought it was — VMotion is a classic example.
If security policies don’t/can’t travel with affinity to the resources they protect, your DMZ doesn’t mean squat if I just VMotioned a VM to a segment that doesn’t have a firewall, IDS, IPS, WAF and Proxy in front of it.
THAT’S what these talking heads are talking about while you’re intent on sticking yours in the sand. If you don’t start thinking about how these disruptive technologies will impact you in the next 12 months, you’ll be reading about yourself in the blogosphere breach headlines soon enough.
Think different.
/Hoff
If we only think of XSS, SQL injection and other new age trendy wowie wow web attacks, we will eventually set ourselves back and cause attacks to go back to the 1990s.
The DMZ is a great idea in concept, the issue is not the DMZ but the impersonation. Implementations must evolve with technology, design, and usage.
Build the DMZ (make the entire front channel a DMZ if you want) but protected through higher levels of security the systems which need it. Implement new techniques and designs as needed and break away from the traditional theory of the design if you must. Protect the noun. The noun is that which is valuable.
Hey Hoff, when did you start chanelling the Jericho Forum? 😉
What Adam said. Could it be that maybe, just maybe, attacks are travelling up the stack because we're getting better at securing the bottom layers?
There's no doubt at all that our antiquated firewalls are still blocking attacks. They're just not blocking ALL of them. Same with our DMZ, ACLs, anti-malware, IPSes, etc. Our wireless security is working just fine, thank you, because we're keeping it all segregated from the internal network.
The concept is still sound; it just needs to evolve and expand as these new technologies move in. We're still working on "least privilege," mind you, which is the granddaddy of all access control, so we're always going to zone our data in one way or another — probably in multiple ways.
@Adam:
I'm not focusing on them, they were just examples. And you'll see me make the point below, but we are STILL DEALING WITH ATTACKS THAT GO BACK TO THE '90's! Why the hell are we still dealing with buffer overflows?
Again, I didn't say the DMZ doesn't have value; it does, just not in the Octopus model…it too, must evolve. Which is what I said.
@Shrdlu:
I'm channeling common sense, nothing else.
"Could it be that maybe, just maybe, attacks are travelling up the stack because we're getting better at securing the bottom layers?"
Nope. Name ONE class of security problem that we have eliminated completely in the last 10 years. If you measure "getting better" by the deployment of "more stuff" then, yes.
The reason we've seen attacks "go up the stack" is because the defense-in-depth scenario of low-level blocking and tackling just vectors attackers off to the next gap in the wall.
Now, if that's your idea of being strategic, then you win. I call it break-fix. I also maintain it's not sustainable.
In the middle ages they built castles with lots of concentric walls. Moats. Boiling oil.
That worked swell until the enemy adopted the trebuchet. Game. F'ing. Over.
And it terms of your last sentence, that's what I said.
The reality is there is no excuse that we're still working on the same sets of problems that existed 10 years ago — albeit now they're in shiny new wrappers.
/Hoff
@Hoff: You write:
Nope. Name ONE class of security problem that we have eliminated completely in the last 10 years. If you measure "getting better" by the deployment of "more stuff" then, yes.
The reason we've seen attacks "go up the stack" is because the defense-in-depth scenario of low-level blocking and tackling just vectors attackers off to the next gap in the wall.
I say:
Hello, strawman!! Name one class of security problem that ANYONE has ever eliminated completely, EVER. Come on, Hoff, that's just silly. Nobody's saying anything's ever been completely eliminated, just reduced significantly. And I think you just said the same thing I did — that attacks are going up the stack because defense-in-depth is working at the lower levels to push them up — but for some reason you're claiming that you're disagreeing with me. WTF?
"Getting better" == we're seeing fewer attacks in areas that we've taken steps to secure. You call it "more stuff," I call it airbags on top of seatbelts. They're working. They just don't cover the upper layers. No reason to get rid of seatbelts and airbags simply because we haven't solved the problem of collapsing bridges.
No, I certainly didn't say the same thing you did.
AGAIN, I defy you to show me where I said you should get rid of the DMZ. I stated that the definition and purpose of the DMZ are outmoded.
I further defy you to demonstrate where you can parallel in my arguments that one should get rid of seatbelts for the sake airbags…
To refine my challenge, please demonstrate one class of attack that has been "significantly reduced." And cite your sources.
I say you'd have difficulty proving that we've reduced attacks versus merely become more proficient at spending money TO TOLERATE THEM:
SPAM? Viri? Phishing? Data breaches? DDoS? Botnets? Stop me whenever you feel you can…
I'm not disagreeing with the fact that throwing tons of cash at a problem to deflect it isn't working to deflect it. BUT IT'S NOT SOLVING THE PROBLEM. It keeps you gainfully employed, that's a big difference.
I baited the question regarding complete elimination for the sake of argument, because it goes to demonstrate that the end goal can never really be achieved…but we do a damned good job faking it. What happens when you run out of wall (per my example above…) What's your answer then?
Whack. A. Mole. That's what you're justifying and championing. Just how many layers of crap are you willing to tolerate and purchase in the name of defense in depth?
I'm just getting a little jaded with the concept that technology apologists claim success when we continue to see the worst exploitation of our defenses in history.
It's funny that folks will spend their last breathes defending the status quo rather than take the long road and literally think "outside the box."
Yeah, sure…it's getting "better."
/Hoff