February 4th, 2008

Birth of IPv6

Posted by Richard Stiennon @ 2:06 pm

Categories: Secure Network Fabric

Tags: IPv6, IP, IP Address, Networking, Telecommunications, Richard Stiennon

Well tonight’s the night. For the first time, IPv6 domain resolution will be possible from a root server. Just a few addresses mind you, according to this article. You may ask “what took so long?”. The answer is that we did not really need it. IPv6 bakes in some security that was addressed by SSL in IPv4 so that driver did not help. The other issue, a rapidly depleting address space, was managed by NAT(Network Address Translation). But now depletion is really staring us in the face. It is getting hard to get address space. Soon you will see the first bidding wars for owners of large blocks of free IP addresses. Technically you are not allowed to sell IP addresses so don’t expect a market for them. But do expect high valuations for shells that control IP address blocks.

So soon there will more than enough IP addresses to go around. How many you say? Here is a great excerpt from Wikipedia:

For example, IPv6 supports 2128 (about 3.4×1038) addresses, or approximately 5×1028 addresses for each of the roughly 6.5 billion people[1] alive today. In a different perspective, this is 252 addresses for every star in the known universe [1] – a million times as many addresses per star than IPv4 supported for our single planet.

That should do it.

Get ready for several years of growing pains. Not the least of which will be all the exploits for the newly deployed IPv6 stacks that have not been well tested in the real world. Routers, servers, desktops, all will have their turn. The bad guys will have fertile ground to work.

September 19th, 2007

De-perimeterization is dead

Posted by Richard Stiennon @ 2:44 am

Categories: Compliance, Data Security, Secure Network Fabric

Tags: Network, Network Security, Perimeter, De-perimeterization, Thesis, Jericho Forum, Networking, Richard Stiennon

Let me go on record now. The perimeter is alive and well. It has to be. It will always be. Not only is the idea that the perimeter is going away wrong it is not even a desirable direction. The thesis is not even Utopian, it is dystopian. The Jericho Forum has attempted to formalize the arguments for de-perimeterization. It is strange to see a group formed to promulgate a theory. Not a standard, not a political action campaign, but a theory. Reminds me of the Flat Earth Society.

Threats abound. End points are attacked. Protecting assets is more and more complicated and more and more expensive. Network security is hard for the typical end user to understand: all those packets, and routes, and NAT, and PAT. Much simpler, say the de-perimeterizationists, to leave the network wide open and protect the end points, applications, data and users.

Yeah, well, the reality is that the perimeter is being reinforced constantly. Dropping those defenses would be like removing the dikes around Holland. The perimeter is becoming more diverse, yes. When you start to visualize the perimeter, which must encompass all of an organization’s assets,one is reminded of the coast of England metaphor. In taking the measure of that perimeter the length is dependant on the scale. A view from space predicts a different measurement than a view from 100 meters or even 1 meter. Coast lines are fractal. So are network perimeters.

Disclaimer: I work for a vendor of network perimeter security appliances. But, keep in mind, I would not be working for a perimeter defense company if I did not truly believe that the answer lies in protecting our networks. If I believed otherwise I would work for a de-perimeterization vendor, if I could find one. :-)

August 13th, 2007

Where is security going?

Posted by Richard Stiennon @ 4:39 pm

Categories: Compliance, CyberCrime, Secure Network Fabric, Security Industry News, Security blog

Tags: Security, Firewall, Router, Richard Stiennon

Or more specifically, where is the security industry going? When faced with this question Rotham’s and Newby’s security blogs read like the ramblings of ecclesiastical old men who are tired of their own industries. They are too close to it to scent the excitement maybe?

First of all there are huge changes looming in the security industry. You won’t catch me writing about them as often as I used to because it is hard to be viewed as objective when you work for a security vendor. But let me chime in on this topic.

Change in the security space is, as always, driven by threats. The threats are growing on the criminal as well as state sponsored fronts. What does that mean for the industry?

First, Rothman and a slew of other analysts are right when they say security will have to be embedded everywhere. But what does that mean? What is “everywhere”? Quite simply it means in switches, routers, servers, desktops, cell phones and all devices. So to see change you might have to look beyond the ten or so publicly traded pure plays in security. What are IBM, EMC, HP up to for instance? It will not be long before secure phones, secure routers, secure computers start to show up on the scene.

The trends will be hard to measure because when a $10 billion router vendor adds firewalling to their routers it may not even be picked up on by the research community. When does a router cross over into being a security device? When does an ACL (access control list) become a firewall policy? Look for network deployments *without* firewalls behind the routers and you will start to see this trend in action.

Other areas of excitement include behavior based transaction monitoring, video surveillance, and yes Denial of Service Defense.

And don’t forget to check out the surge in what I would have to call Managed Security Services 2.0: security in the cloud. If 1.0 was event monitoring and reporting ala Counterpane, Riptech, and Guardent, 2.0 is a collection of services built around anti-spam, anti-virus, web content filtering and IPS as well as firewall/VPN and network management. There are hundreds of companies jumping into this space. I see managed services and in-the-cloud services as the hottest growing area in all of security.

April 3rd, 2007

Spoofing NAC

Posted by Richard Stiennon @ 3:26 am

Categories: Secure Network Fabric, Security, Security blog

Tags:

Remember Stiennon's first law of network security?  It is:

Thou shalt not trust an end point to report its own state.

This means that you cannot trust the IP address, MAC address, location, AV signature file version, and configuration information reported by a device. It can be spoofed. Unfortunately this is the basis of CNAC, Cisco's Network Access Control proposal. I have written about this fundamental flaw many times. Last summer I wrote about it here, igniting a conflagration in the blogosphere. 

Now it is reported at Black Hat that researchers have successfully circumvented CNAC by spoofing end point configurations. This is trivial and any motivated hacker can pull it off. Now there is even a toolkit. But why bother since there are few CNAC implementations?  The real lesson learned is that if you are deploying this type of NAC you are not doing it to improve your security. 

Researchers in Germany today demonstrated a tool that allows an unauthorized PC to disguise itself as a legitimate client in a Cisco Network Admission Control (NAC) environment, effectively circumventing the networking giant's end-point security strategy.

And for my fellow bloggers who I rarely call out using my own blog: are you ready to retract your "founded on quicksand" statements and admit that you were wrong and Stiennon was right once again?  :-)

Full disclosure: Since last summer's debate I have taken a position with a direct competitor to Cisco. 

November 28th, 2006

Changes in store for ThreatChaos

Posted by Richard Stiennon @ 7:31 am

Categories: Secure Network Fabric

Tags:

I just spent nine months as an independent analyst covering the IT security space. You will have noticed that in addition to posting about the threats and rise of cyber crime I began to cover the security industry as well.  When I originally started to write Threatchaos I was at Webroot Software, and the site, you may recall, was at www.threatchaos.com Because I was in the industry I was not really in a position to critique other vendors. I transitioned the blog to ZDNET the day I launched IT-Harvest, my attempt at creating an independent research firm.

Now, I am making another shift. Because it is back to the vendor side you will see me posting less about the industry and more about the threats again.  I seem to be one of the few people who believe the threats are under-hyped, not over-hyped.  I need to continue to highlight the next Sumitomo bank heist and the next Haephrati Trojan. This blog is the place for that.

Why move on?  It’s a long story.  As many know I covered the network security space for Gartner for four years. My stint covered the rise and acquisition of Netscreen, the death of IDS, the EOL (end of life) of Gauntlet, and the invention of IPS. None of which I can take credit for of course.  One of the frustrations of being an analyst is that you are an observer, hopefully a thinker, but certainly not a doer. 

At one point about three years ago, a dinner meeting was convened in Sausalito: two industry execs, a social networking guru, and an analyst. The purpose: figure out the next big thing in network security.  We came up with nothing definitive at that meeting, but, as these things often work out, within two weeks I had that big aha moment when I realized that the network had to be secured. Just as ISP’s and carriers are doing more to manage and block malicious traffic on their backbones, the enterprise should be doing more to ensure that bad packets have no place on their networks. This evolved in to my concept of Secure Network Fabric which I have written about at length.  

Well, I have visions of Demosthenes shouting into the wind whenever I attempt to be heard. The rush to quarantine and health checks that is NAC is a stampede that overwhelms a lone voice.  And, in the meantime there is a quiet evolution in network security that is indeed moving towards this concept of ‘secure networking”.  And, in particular, the stealthiest company in the space, Fortinet, has even introduced an edge device for the enterprise. Look around.  We know that switch vendors have made some acquisitions to get into security (3com+Tipping Point, Force10+MetaNetworks) but have you noticed that firewall vendors are introducing switches???

It’s time to be part of this evolution. Maybe at Fortinet I can help make it a revolution.

November 27th, 2006

Good NAC

Posted by Richard Stiennon @ 8:06 pm

Categories: Secure Network Fabric

Tags:

You may have caught my recent column on good vs bad NAC here.  To dig a little deeper into the good side of NAC that is the network  access control stuff as opposed to the admission control stuff, I talked with Sanjay Uppal, Founder and CEO of Caymas Systems.  Yes, Caymas has built in the ability to check system health just like the rest of the vendors that are trying to make system configuration a criteria for network access. But, in my mind, the real value Caymas brings is the granular access control enforced by a simple to deploy network appliance.  Listen to the threatcast here, or download via iTunes! 

November 21st, 2006

Testing Scada Networks

Posted by Richard Stiennon @ 10:05 am

Categories: Secure Network Fabric

Tags:

SCADA is of course the protocol that utilities such as gas, electric, and telecoms use to control the equipment they have to manage. Think of a simple way to check a temperature or voltage reading and report back as well as set values on switches, pumps, etc. It’s easy.  In the olden days SCADA devices were connected by phone lines and dedicated circuits. Today of course they are connected to IP networks that are often also connected to the Internet.  Just to get a feeling for the type of device that can be controlled via SCADA check out this awesome movie of an electrical gate being tripped.

I grabbed a chance to talk to Kowsik Guruswamy  CTO and co-founder of MuSecurity, because they have recently added SCADA to the list of protocols they can test with their product.  MuSecurity sells hardware appliances that can launch attacks against devices on the network to discover how they react to thousands of anomalous packets. They basically discover zero day vulnerabilities. Their primary customers are IT security departments who are evaluating different solutions, and security vendors that want to improve their products.  Now they can also be used to check the robustness of things on the power grid for instance. Listen to the threatcast with Kowsik here. Note that he points out a scary situation. SCADA protocols are based in part on RPC DCOM, an infamous protocol that has been attacked by many worms.  That does not make me feel good.  

August 17th, 2006

Can you do this?

Posted by Richard Stiennon @ 9:53 am

Categories: Secure Network Fabric, Security, Security Industry News

Tags:

The raging debate over NAC included one aspect that I want to dwell on. That is the perception held by some that NetFlow is a tool for countering denial of service attacks. Certainly, the original NetFlow vendors, Arbor and Mazu, got their starts by countering denial of service attacks and a large percentage of their revenue still comes from ISPs that use their tools to identify sources of attacks and block them at the edge.  But NetFlow is much too powerful a tool to be pigeon holed in the DoS defense category. Read my just published column at DarkReading: Getting to Know NetFlow.  

And look at this output from a NetFlow management console that Lancope provided me with.  Can you get this kind of image of your network?

Click here for full size image.   

It is not surprising that web traffic is the bulk of what this large corporation sees on their network. The RTSP, real time streaming protocol, is more revealing, it indicates that video and audio is making up a lot of the bandwidth utilization.  With a good NetFlow console you can drill in to find a lot of interesting detail.  I can’t imagine doing any capacity planning or even network debugging without the power of NetFlow.  Read my article for the internal security benefits that come from NetFlow

August 14th, 2006

Great debate podcast : NAC v SNF

Posted by Richard Stiennon @ 10:15 am

Categories: Podcasts, Secure Network Fabric, Security, Security blog

Tags:

Here it is: the great debate over NAC, Network Admission Control, captured in a podcast.  I take on two vendors and another industry analyst to tear into NAC and reveal the weak under belly of a technology that in it’s practical applications is just access control. It’s more phantastical elements, denying access to devices that are not healthy, are what I object to.  Listen to the debate here.

August 11th, 2006

Happy Birthday Blaster. Death knell for NAC?

Posted by Richard Stiennon @ 8:44 am

Categories: Podcasts, Secure Network Fabric, Security, Security Industry News, Security blog

Tags:

I remember the events of August, 2003 very clearly.  The Pentagon had called on me that July to defend my prognostications on re-active vs proactive security measures. At the showdown (chronicled here by Ellen Messmer ) I remember thumping the podium and berating the vendors that were aligned against me for doing nothing to stop the impending onslaught of attacks against a recently revealed Microsoft RPC DCOM vulnerability.  Sure enough, on August 11, 2003, a worm was released that wreaked havoc on the Internet and corporate networks alike.

But this outbreak was different than Code Red, Nimda, and SQL Slammer, all of which breached the corporate firewall. Blaster spread mainly over port 445 which by then was blocked by a lot of firewalls.  But corporate networks became infected anyway. The culprit was infected laptops brought in by employees and contractors.  (Thanks to the  Securosis blog for pointing out that today is the anniversary of Blaster also, that Microsoft’s just released patches address a very similar vulnerability that could lead to a similar outbreak.)

How did the security industry respond to the threat from infected laptops? Cisco led the way by announcing a grandiose scheme labeled Network Admission Control.  In a terrific example of design by press release they roped the major anti-virus players into announcing that their products would comply with Cisco NAC. 

It has taken three years but there is finally a debate over NAC and its various interpretations.  A couple of items coming out of the Black Hat conference last week question NAC on technical grounds.   I, of course, have been whining about NAC for some time. My latest in a column over at CIOupdate.  

Well that column incited a response from  NAC vendor StillSecure  which in turn sucked in a couple of wordsmiths (Chris Hoff of RationalSecutity blog fame , and Mike Rothman of SecurityIncite)  and now we have the makings of a debate.  I was feeling like the lone voice shouting into the wind until Mark Bouchard chimed in.  The debate became real last night thanks to Martin McKeay of the Network Security Blog and Podcast. He corralled four of us into a joint Skype call and we took off the gloves for about 45 minutes.  Martin is still cleaning up the audio file. As soon as it is available we will each be posting it in our separate forums.