Consolidating Controls Causes Chaos and Certain Complexity?
Don Weber wrote a post last week describing his thoughts on the consolidation of [security] controls and followed it up with another today titled "Quit Complicating our Controls – UTM Remix" in which he suggests that the consolidation of controls delivers an end-state of additional "complexity" and "higher risk":
Of course I can see why people desire to integrate the technologies.
- It is more cost effective to have two or more technologies on one piece of hardware.
- You only have to manage one box.
- The controls can augment each other more effectively and efficiently (according to the advertising on the box).
- Firewalls usually represent a choke point to external and potentially hostile environments.
- Vendors can market it as the Silver Bullet (no relation to Gary McGraw’s podcast) of controls.
- “The next-generation firewall will have greater blocking and
visibility into types of protocols,” says Greg Young, research vice
president for Gartner.- etc
Well, I have a problem with all of this. Why are we making our
controls more complex? Complexity leads to vulnerabilities.
Vulnerabilities lead to exploits. Exploits lead to compromises.
Compromises lead to loss.
…and:
Don’t get me wrong. I am all for developing new technologies that will
allow organizations to analyze their traffic so that they get a better
picture of what is traversing and exiting their networks. I just think
they will be more effective if they are deployed so that they augment
each other’s control measures instead of threatening them by increasing
the risk through complexity. Controls should reduce risk, not increase
it.
Don’s posts have touched on a myriad of topics I have very strong opinions on: complex simplicity, ("magical") risk, UTM and application firewalls. I don’t agree with Don’s statements regarding any of them. That’s probably why he called me out.
The question I have for Don is simple: how is it that you’ve arrived at the conclusion that the consolidation and convergence of security functionality from multiple discrete products into a single-sourced solution adds "complexity" and leads to "increased risk?"
Can you empirically demonstrate this by giving us an example of where a single function security device that became a multiple function security product caused this complete set combination of events to occur:
- Product complexity increased
- Lead to a vulnerability that was exploitable and
- Increased "risk" based upon business impact and exposure
I’m being open-minded here and rather than try and address every corner-case I am eager to understand more of the background of Don’s position so I might respond accordingly.
/Hoff
Wow, this is the first time I have been assigned a task via a blog post. Which project number am I billing this to? 😀
Working….
Go forth and do good things,
Don C. Weber
Disclaimer: I'm not taking sides here, just musing. I'm typically middle-of-the-road on these things, especially since I am using no empirical evidence or numbers. 🙂
1) My shop uses McAfee and we're digging in deeper with them over the next year. If there is a Big Bad Bug in McAfee's ePo (the brains of the product), that might mean much of my operation's security measures are temporarily toast. Ok, that may not be an example of a product becoming more complex, but rather a risk in a unified single product. And since we're being open-minded here I'll stick to the theoretical vs the empirical. 🙂
2) Sticking to McAfee, what if a fundamental flaw in their assumptions or signatures allows an attacker to squip through their monitoring? IPS, HIPS both don't detect the intrusion, or stop it. Again, this is likely a risk with a single product versus a blended approach to security products (which can be argued on how well McAfee uses products it itself purchased and packaged in…). Also, again, theoretical…
3) A case might be made that UTM products decrease complexity and thus increase risk. Is a company better off using the McAfee IPS appliance versus a Snort box? Depends…but I can tell you I'd prefer to pay an analyst the money the McAfee IPS costs and instead have them manage a Snort box. One is best of breed and offers a wealth of other options and expert-level ability whereas the other is so simplified that its usefulness is highly arguable.
4) I think your question can really only be answered by the product vendors themselves, as perhaps only they will know how complex their products are a) coded and b) interoperate. They hopefully find/hear about vulnerabilities as a result of those two things either a) in-house or b) responsible researchers, and address them before an empirically measurable incident is realized. Again, though, theory… McAfee's ePo trusts the IPS…does that break down into an overflowable open port? Would that be a result of complexity?
Tough questions. 🙂
Away from the Complexity vs Risk issue. I think UTM's are somehow new to the market and hence they are not very mature. Most of the UTM's are made using Intel based PC Architecture (No ASIC's) with many 3rd Party Addons for Anti-Virus, Anti-Spam, etc. And that's why they have many performance related issues. For example, if you have 1 Gig throughput firewall, this firewall's throughput will sure drop after enabling AV, and AS on it. The Antispam and IPS features in UTM's are not as powerful as those in stand-alone products.
I believe that UTM's are suitable for the Network Perimeter and in Remote Branches, where traffic load is not very high. They may not be suitable for Data Centers and ISP's. Their AV, AS, and IPS features are meant to complement and not replace your standalone IPS's and Host Based Antivirues. However, my be this will change in the near future when these producs become mature enough.
I agree with the maturation. Some of them are still only slightly integrating acquisitions into the fold…not sure what a box would look like with all of the tools mashed together into one. A bit of a Frankenstein, at least for a while. Put two tools onto one box, you may have to juggle the interoperability of both tools; what if they need different versions of Java, eg? And the exposure of two different tools…
More non-empiricals, I know, but just adding thoughts to where Don might have been going with this.
The Perimeter is DEAD – Let’s Make It More Complex (http://www.cutawaysecurity.com/blog/archives/217) – the detailed report is available upon payment in full. Of course a Guiness the next time we meet up suffice, although a Murphy's Irish Stout (http://www.murphys.com/index.php) would be better.
Go forth and do good things,
Don C. Weber
Actually Hoff I think it is a general misconception. I have met many people who without looking think this is the case. Indeed a number of people I work with believe this is true and you and I have debated this point with various people in the past.
In particular with the platform we are deploying, on from your previous employer, people somehow get it into their heads that 10 sperate boxes with their own configs and cables are easier than one box and no cables (same applications).
In some areas I supsect this is a boundries issue, I see this with our MSSP as useless as they are they have this issue. Its not that box is complex but that is crosses team boundries and as such their is debate as to who manages what, who owns it etc etc. This then also becomes and issue in troubleshoorting issues as well.
Seems to me a lack of adaptive thinking in many ways but consoliations makes technical and financial sense, with Datacentre sapce, power and cooling becoming more and more of an issue this trend is set to continue – my advice, grab a board and ride this wave or get out the way and let us who do get it, get the job done!!