E-MailCASTLE OR SUBMARINE? THE INADEQUACY OF PERIMETER DEFENSE
by Tom Welsh, Senior Consultant, Cutter Consortium
Most managers' first response, on being asked to secure their corporate networks, would probably be to install a firewall and force all incoming and outgoing traffic to pass through it. (Antivirus packages for all computers might come a close second these days.) Networks are becoming so complex and dynamic, however, that there are growing doubts as to whether perimeter defense can be trusted at all.
In today's information security scenario, according to Dan Houser, there is no longer a well-defined perimeter; instead, attacks can come from anywhere. Houser, a senior security engineer at a Fortune 500 financial corporation, hammers his point home in a richly detailed article published in Information Security. Contrasting the conventional "castle" model with his own more pessimistic "submarine" paradigm, he warns:
The castle model assumes a single, well-defined entry point, but your organization has hundreds, even thousands of openings: point-to-point connections with partners, vendors and even competitors.
Employees and consultants open still more holes -- from the inside. Dozens of modems litter your network; users bring in wireless access points; consultants unplug fax machines to obtain analog lines to dial up their corporate LAN from their network-connected laptops. Employees connect their personal machines to your network, despite the fact that those PCs are largely unpatched, virus infected, owned and/or filled with adware and spyware. Over time, your firewalls start to resemble Swiss cheese, as business partnerships require more and more ports to be opened, while unnecessary ports often remain open long after they're needed.
We have a lot more to worry about than barbarians at the gates. The submarine warfare model teaches us that there's no viable perimeter -- the enemy can be anywhere [1].
Insider attacks, modems, wireless networking, and tunneling give Houser cause for concern. But his greatest concern is reserved for the sheer impossibility of maintaining perimeter security in today's conditions.
Houser continues:
Just look at what's happening on your network:
- Roughly 75 percent of attacks come from the inside, not the Internet (excluding repetitive worms).
- "Trusted" employees load KaZaA, GoToMyPC, Gnutella, HTTPTunnel, IM clients and other P2P applications on their workstations, blowing hundreds of virtual holes in your perimeter.
- With the advent of Web services, you can't presume that your core networks are trustworthy. XML and SOAP are now tunneling Remote Procedure Calls (RPCs) through your firewalls over ports 80 and 443. They're connecting the Internet to your core business applications and databases.
- Web services moves application servers to your outermost DMZ [10], requiring the same servers to provide both presentation and application layers. These mission-critical servers are simultaneously terminating Internet connections and executing business logic, opening your enterprise to greater risk. Fortunately, some Web services vendors are well aware of this issue, and are taking steps to resolve it.
- Web services essentially provides a way for your developers to publish RPCs to the Internet, but change control and code review get short shrift in the rush to bring Web apps to market. If major software vendors producing shrink-wrapped software continue to publish RPC vulnerabilities, despite rigorous code walkthroughs and change control procedures, imagine how many RPC vulnerabilities your Web developers will code into their Web services apps.
There is a complex interplay between new technical vulnerabilities and the potential for human error or social engineering attacks. A dazzling variety of devices can quickly and easily be plugged into the Internet, many of which may at some stage decide to "phone home" on their own initiative. It just takes a single copier programmed to connect automatically to its vendor's server, or a single user dialing out with a modem, to "turn the corporate intranet inside out" and make it publicly available to the whole Internet.
A classic scenario is for a consultant working at a client's site to connect (perhaps unwittingly) to a local corporate wireless LAN while already connected, perhaps by virtual private network (VPN), to his or her own company's network. Presto! In a flash the two networks have been merged, and everything on each is visible to all the users and applications on the other.
Wireless networks, convenient and fashionable as they are, offer the uninitiated a wide array of ways to harm themselves and their employers. By some estimates, more than half the wireless networks currently in operation are unencrypted -- effectively broadcasting their transactions to anyone who may be interested. Contrary to popular belief, the range at which a wireless LAN can be accessed is extremely variable and may sometimes extend to many miles, depending largely on weather conditions. Once again, the fundamental problem lies in users who install new equipment without checking, or modifying, its default settings.
But encryption is no guarantee of privacy or security. Not long ago, an FBI team demonstrated that it could break a 128-bit wired equivalent privacy (WEP) key in about three minutes, thus gaining access to an encrypted network [3]. What's more, the team did this with inexpensive and generally available hardware and software. Wi-Fi Protected Access (WPA) is a stronger encryption technique, but the FBI still recommends switching off wireless LANs (WLANs) when not in use.
-- Tom Welsh, Senior Consultant, Cutter Consortium
Notes
[1] Houser, Dan. "Network Security: Submarine Warfare." Information Security, August 2003.
[2] DMZ is a demilitarized zone, a network section sandwiched between two firewalls. A DMZ typically isolates the "soft" inner corporate intranet from the "wild" external Internet.
[3] Cheung, Humphrey. "The Feds Can Own Your WLAN Too." Toms Networking, 31 March 2005.