Вы находитесь на странице: 1из 4


9.1 Rickety Planes
What if we flew in computers? That gives "crash" a whole new meaning, doesn't it? Well,
if we did, I am sure you would agree that we would all be dead. I would love to say
operating systems are really improving, but it isn't so. I installed XP SP2 beta, one of the
least-rickety operating systems I have worked with in a long time, on a clone of my
primary laptop a couple months ago, and it has been interesting. As soon as I submit the
remainder of my chapters for this book, I will upgrade my production box. As I write
this, the Windows update version has still not been released, and it will be very
interesting to see what breaks when the home users get upgraded. A lot of people died
in the early days of the airline industry, and as I say, if we flew in those early planes
today, most of us would be dead.
Now here is the kicker: IPS systems and intelligent switches are nothing but software
applications or ASICs that are built on these rickety operating systems. One of the
primary themes of this book is never to trust the operating system, to expect perimeter
components to fail. This book will show you techniques for failover, layering defense
components, segmenting internal networks, using instrumentation to detect anomalies,
and troubleshooting. In the early days of perimeter defense, the only choice that
information security practitioners had was to layer their perimeter software on these
rickety operating systems.

9.2 Fires in the West

For years, I was a network builder for the Department of Defense, which uses large,
high-end, fast networks. The most effective security mechanism for separation of
sensitive information was implemented with a physical solutionan airgap. If you want to
protect one network from another, just don't connect them together. Worms such as
Blaster taught us that many networks that supposedly were not connected to the
Internet actually were in one way or another, but if you audit carefully and never allow
an exception, airgaps work.
The problem with an airgap is the two networks cannot interoperate, a concept directly
in contradiction with the Internet philosophy and electronic business. The past few years
have been a bad time for the U.S. West, as rain has been minimal, with fires starting
earlier and earlier each year it seems. One of the most effective tools for managing fires
is a firebreak; it isn't as powerful as an airgap (sometimes the fire will bridge it), but
segmenting the forest into zones is a powerful technique. The information technology
analog for a firebreak is to segment the internal network. This can be done with internal
intelligent Network Intrusion Prevention Switches (NIPS), with some elbow grease using
current generation switches and applying access control to VLANs, or with low-cost
appliance-type firewalls used on the internal network. It can even be done manually
using anomaly IDS to detect switch ports heating up, which is usually a signature of a
worm, and shutting down the switch. Segmenting internal networks with "firebreaks"
allows us to have the interoperability and reduce the risk of losing all our internal
systems to a destructive worm "wildfire."
This book discusses a number of perimeter and internal network designs. Some are more
focused on security, whereas others are focused on performance. Some focus on uptime
and help you to understand how to choose these designs based on your organization's

One of the reasons that early airplanes were so dangerous is that a large number of
them were hand built. Even if the planes were built in a factory, after a couple of years,
they might as well be hand built because of the number of times they were repaired and
Can you see how similar the early airplanes are to our server and desktop operating
systems? We all agree that patching to reduce the vulnerability footprint is critical, but if
no two servers are alike, exactly how do you test the patch? Repeatable builds give an IT
shop a major increase in security just like factory-built aircraft.
So do appliance firewalls. They are factory built, plug and go. It's not guaranteed that
their OS is hardened, but you do know that the OS on the appliance is factory built,
consistent, and probably stripped of unneeded programs. These low-cost appliances are
very useful for segmenting an internal network.

9.3 Rapid Advances in Technology

Modern aircrafts have wings, fly through the air, and land on the groundand that is about
all they have in common with the first airplanes. The advances in airframe design,
materials, avionics, navigation and route selection, and airport operations make it
difficult to believe that people ever considered getting into the early airplanes.
I would love to say that modern perimeter systems are so advanced that it is
inconceivable that we ever tried to protect our systems with those early firewalls, but we
haven't made that much progress yet. However, hope prevails, and we certainly see
evidence of improvement. Perimeter defense systems have come way down in price for
any given bandwidth point; many can be upgraded by just downloading a new image.
Deep packet inspection at gigabit speed is possible right now for the well-funded
organization. Subscription models that update daily or weekly are the norm and support
an architecture of perimeter components to create hybrid systems that combine classic
perimeter defense, reporting sensors, and possibly even vulnerability assessments that
allow performing internal correlation.
This book discusses the importance of using the information collected by perimeter
devices to help defend the network. The data collected and reported by these devices
fuels the most advanced analysis capability in the worldthe Internet Storm Center (ISC).
Organizations such as ISC and Internet Security Systems's X-Force are often the first
groups to detect a new worm beginning to cause trouble on the Internet. One of the
upcoming models for security is continuous reporting, or operational readiness, and this
requires sensors all over the network to constantly report in. The technology of network
security is dynamic. It's important to have constant updates to maintain security in the
face of the ever-changing threat.
It is worth mentioning that ease of use and good security might be orthogonal. If it were
as easy to get into an airplane and fly as it is to get into a car and drive, the skies would
be a dangerous place. Appliance wireless access points often aggregate all wireless and
built-in wired ports into the same broadcast domains. Possibilities for attacks exist based

on MAC address spoofing, sniffing the internal traffic from outside the plant in the
parking lot, the use of rogue, unapproved access points bought at Best Buy and plugged
into the Net, access points with a bit more power than the FTC allows being broadcast
into the internal network from the parking lot, and failures of the authentication system.
The most common reason for aircraft crashes today is poor maintenance, and we are
going to see the same thing with wireless implementations as better security technology
becomes available.

9.4 Decline in Personal Service

More has changed on the human side of the airline equation than just the name change
from stewardesses to flight attendants. First class isn't first class, and it goes downhill
from there. The airlines seem to be testing the limits to see just how much abuse people
will takeand they wonder why they occasionally deal with passenger rage. Sadly, the IT
industry has never been big on personal service. There were exceptions, back in the
glory days of big blue. We had a bit of trouble with an IBM mainframe, and they tossed a
squad of technicians into an airplane and dropped them by parachute into our parking
lot. Until the technicians dropped on target, vice presidents would call every 15 minutes
to apprise us of the location of the plane. Okay, I am kidding, but not by much. Those of
us in IT security should take heed. I hope you understand what your CEO is thinking
right now. He gave you money for security after 9/11 because it seemed to be the right
thing to do. You still got hit by worms. He increased ITSEC to 5% of the IT budget. You
still got hit by worms. Now you are in a meeting thinking about asking the CEO for
unplanned money to implement a NIPS or HIPS solution. I strongly suggest you invest
time in looking at your requirements, making sure that you choose the best technology
for your needs and that customer service is part of the budget request so the people
impacted by the active defense layer you are thinking about implementing will have
someone intelligent and caring to call.
Nowadays, the IT industry has two primary features: bad software and worse service.
One of the advantages of this book is that the entire author team has pragmatic
experience with most of the commercial and freeware perimeter products on the market,
including the rapidly changing personal firewall market. We can't do much to help you
with the bad software, and we never intend to bash any vendoreach has its foibles.
However, we can help you in finding ways to meet your mission goals despite the flaws in
the technology we each use. We devote an entire chapter of the book to implementing
defense components, such as personal firewalls at a host level, to help you avoid some
of the common pitfalls and know what technology is available. The latest generation of
Host Intrusion Protection Systems (HIPS), which are essentially personal firewalls with
operating system shims to trap dangerous operating system interrupts, have already
proved themselves in production and are an important and valuable layer of defense.

9.5 Continuous Inspections

One of the primary reasons the aircraft industry has been able to make gigantic leaps in
improving safety is the rigorous, complete, and continuous inspections for every
component and process related to flying. This is also the most important change that we
need to make. When I teach at the SANS Institute, a security research and education
organization, I often say, "Who reads the event logs every day?" Some hands go up. I
try to memorize their faces and catch them alone at the break. Then I ask them, "What
is in the logs? What recurring problems are there?" They usually cannot answer. This
book can help you deploy sensors and scanners. An entire chapter is devoted to intrusion

detection. Even your organization's software architecture is a security perimeter

component, as you will learn in the software architecture chapter.
If you were to ask me what the growth industry in IT was, I would answer that consoles,
sensors, and agents to collect and display information would be a strong candidate.
Computer systems change rapidly. They are analogous to the barnstormer bi-planes that
flew around county fairs. When something broke, a blacksmith, automobile mechanic, or
seamstress fabricated a new part. We can add and uninstall software in a heartbeat, but
when we do, we cannot get back to the place where we were before the change. We
need to monitor for change continuously, and until we learn how to do this and
rigorously enforce change control, flying in computers will be nearly certain death.

9.6 Defense in Depth

It is a tragedy when a single passenger plane crashes, worse when a plane full of people
goes down, and an unspeakable horror when a plane is used as a weapon of terrorism.
Today, airports are transforming into examples of defense in depth. Defense in depth is a
primary focus of this book, and the concept is quite simple: Make it harder to attack at
chokepoint after chokepoint. How many security systems or defensive layers would you
have to defeat to rush through an airport race to a waiting, fueled, long-range jet,
commandeer the plane, drive it out on the tarmac to take off, and use it as a missile?
Many are obvious, such as security checkpoints, armed National Guard troops, locked
doors, and tarmac controls. If you did manage to get the plane in the air, you would also
have to defeat fighter aircraft. It isn't impossible, but it is unlikely that you could defeat
the defense in depth that is now employed at airports.
Defense in depth is present in every chapter of this book, and it's becoming easier to
implement in information technology. High-speed programmable hardware boxes, such
as UnityOne from TippingPoint, can help protect our network borders from worm
outbreaks. Technologies we have already discussed in this preface, such as nextgeneration intelligent switches and HIPS, allow us to implement multiple layers for our
perimeter and internal networks, albeit at a significant cost. No matter what role you
play in your organization, it is important to read the intrusion prevention chapter and
make sure the folks in charge of the budget know what is on the horizon. As you read
this book, you will learn how to architect your network so that it is resistant to attack. As
we evolve as an information-based society, the importance of protecting intellectual
property assets continues to rise.

9.7 Core Business Sector

In less than a century, airplanes have gone from being an oddity to being vitally
important to the economy. Information technology has done the same in less time and
continues to grow in importance. We have been more than a bit lazy. I often wonder
what the effect of a worm with the infection rate of Blaster that overwrote (not deleted,
overwrote) every location on the hard drive of an infected computer four hours after
infection would be. If the Congress of the United States did not vote on a bailout
package for the airline industry, IT should not expect one. One of the primary keys to
survival in business over the next few years will be managing the flow of information so
that resources are available when they are needed with full integrity, while the
confidentiality of proprietary and sensitive information is maintained. It is a big task, so
we had better get started.