VPNs, firewalls, and anti-virus are the big three of security. But the dirty little secret is that a lot of this software and hardware exists more to CYA than to prevent your network and data from being compromised.
I had a long talk with Pete Lindstrom, research director at Spire Security LLC, about this, and his straight-from-the-hip opinions should give all of us pause. By way of pedigree, Lindstrom was for 12 years a security auditor at Cooper and Lybrand, now PricewaterhouseCoopers LLP, and a security architect at Fortune 100 company Wyeth Pharmaceuticals.
VPNs give a company some measure of regulatory compliance comfort but they also give the enterprise a false sense of security. Bad traffic can be pumped through a VPN tunnel just as easily as good traffic can. Without decontaminating the client, the VPN’s usefulness is compromised, as Lindstrom sees it.
“If I am doing an IM session and I download a Trojan Horse, and then I do work on a VPN — poof — they (the evildoers) are through,” Lindstrom says.
Lindstrom believes that the Mydoom virus could not have spread so quickly worldwide if IT folks, who talk a good security story, were really deploying full security.
And one of the reasons he believes security does not go deep enough within the enterprise is that it requires a trade-off between functionality and security. Senior management wants sub-second response times and an unhackable network. The two directives are somewhat at odds.
Deep content inspection, even with use of network appliances, means that you are going to take a hit in performance. And as you increase the level of control over packets, especially to contain the spread of worms, you also introduce the possibility that packets will break.
Then there’s the problem with standards. Where the protocols communicate, they create uniquely addressable listening points open to attack. And, of course, standards are based on shared protocols, which the evildoers also get to share.
Microsoft products seem especially vulnerable to attack. Lindstrom believes part of the cause is the sharing of the same code bases for backward compatibility.
Is there an overarching solution to all of the weak points within applications and networks? Lindstrom has what I think is an excellent idea.
Every ISV should ship with its application a software security data sheet, not unlike the MSDS (material safety data sheet) that the chemical industry uses. On this data sheet, the vendor publishes what its application interactions are with the rest of the environment. For example, the ISV would publish what DLLs it uses, what registry settings are, what pieces of access control lists are required, what the file system looks like, etc.
Then IT has a host-based intrusion model that works off policies and rules. “A set of rules that allows you to control traffic more specifically (than a signature),” Lindstrom says.
The software security data sheet is imported, and as Lindstrom says, “it is sucked into your policy system.”
Datamonitor predicts enterprise investment on the scale of US$6 billion on firewall and VPN solutions by 2007. It might not be a bad idea to rethink how, when and where security is deployed instead of the more typical knee-jerk buy of the latest and greatest.
Schwartz is a columnist for Infoworld (U.S.). He can be reached at email@example.com.