Death of the DMZ -- Redux
My friend Steve Riley is at it again -- this time with a new twist. In a blog post over at http://blogs.technet.com/steriley/archive/2008/06/25/directly-connect-to-your-corpnet-with-ipsec-and-ipv6.aspx he describes a vision where the corpnet can be extended to any location in the world. Thus, there will be no difference between an "internal" host and an "external" host. All managed clients will be considered as part of the same security zone (corpnet), regardless of their location.
This solution depends on two core technologies:
- Universal connectivity using IPv6
- Connection security and privacy provided by IPsec
IPv6 will remove all NAT requirements and Steve says that all you need is a router configured to allow inbound UDP 500 (for IKE) and TCP protocol 50 (for ESP). That's it. No need for firewalls at the corpnet edge, since there will no longer be a corpnet, just a worldwide network of managed clients that Group Policy, Forefront Client Security and NAP will protect.
It's an attractive idea. Wouldn't it be nice to join my kitchen computer to the distributed corpnet, the one that I share with the wife and kids ? And how about my main workstation at home, that should be a member of the corpnet too. And that laptop I lug around the world, connecting it to unsecure and unmanaged networks with great abandon, that should be part of the corpnet too. Sweet!
However, there's a problem with this scenario that Steve hasn't addressed -- outbound access control and the "quality" of clients.
First, let's look at the outbound access control issue. Outbound access control has two primary goals -- to prevent users from downloading stuff that the company doesn't want on corpnet computers and to prevent users on corpnet computers from uploading stuff the company doesn't want uploaded. We might also add a third goal -- to prevent users from viewing information that could put the company at risk for any number of legitimate or illegitimate reasons (from a criminal and civil law perspective).
Steve's "network of the future" doesn't have any provisions for outbound access control. While Forefront Client Security is a great anti-malware solution, it doesn't protect against zero-day threats. And while NAP does a darned good job at preventing unhealthy clients from connecting to the network, there's more to the security game then just protecting us from known malware and unhealthy clients. Thus, without outbound access controls, you reduce the overall "quality" of the machines because they have an increased "attacker" surface, because of unrestricted access to any content using any protocol using any application.
So this first issue plays into the second problem with Steve's "network of the future" -- the "quality" of clients located on Steve's distributed corpnet. Let's look at an analogy.
A woman is in love with two men (hey, it can happen) and has decided that she wants to marry one of them so that she can settle down and have a happy life. She manages both of these men pretty well, except one of them has a long history of being a womanizer and has slept with hundreds of women in his life. However, she's sure he's given up that life to be with her. The other man has only been with one other woman in his life and has no history of womanizing.
What would you recommend to this woman? Both of these men have been "well managed" by her and she's sure that she'll be able to manage either one of them in the future. But would you say both of these men were of the same "quality" when it come to potential future risk?
Isn't the womanizer much like the off-site computer that connects to a multiplicity of networks with unknown security states? And even if the Bedouin off-site computers were only connected to secure networks, who has been working on those computers and who is really logged onto those machines? What if the off-site "corpnet" machine is in the hands of an attacker -- to what degree will that attacker be able to leverage his new found connectivity to the corpnet?
What do we do about this situation? It's clear that off-site clients are in a different security zone than the "bolted-in" corpnet clients. But then again, is there such thing as a bolted-in corpnet client anymore? Many companies are providing laptop computers to their users that they can take home, and then they can bring them back and plug them into the corporate network. Are these machines any different than the off-site distributed network "new world order" corpnet machines?
So, maybe the issue of client "quality" is moot, and the concern regarding the difference in quality, and thus different security zones for mobile and "fixed" corporate assets is more apparent than real. This still leave the issue of outbound access controls.
Steve mentions enabling the Windows Firewall with Advanced Security on the clients. While this is a great suggestion for controlling inbound access (as is the router configuration to the physical "corpnet"), it does nothing for outbound access control.
So, what is the solution? I suspect the only way we can actually solve the problem and make Steve's "network of the future" a reality is to have an ISA (actually it'll be a TMG ) firewall on every client, and enable centralized management of that firewall via a consolidated agent, such as the Firewall client, which could be wrapped into the Forefront Client Security agent. Only after having this or a similar solution, will we get close enough close to leveling the playing field enough to make the "network of the future" a truly secure, distributed corpnet.
Next time, we'll tackle the task of reperimeterization and the unmet challenges we have there.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: [email protected]
MVP - Forefront Edge Security (ISA/TMG/UAG)