Understanding Defense in Depth
If you're a regular reader of this blog, you know that I'm a major advocate of security as a defense in depth process. The most important take home message when it comes to the concept of defense in depth is that there are no "magic bullets", that if you deployed a single or single set of security technologies, you'll forever be free from security concerns. That will never be the case. In addition, security is a process and something that must be attended to continuously, its not and will never be "set it and forget it". People in the physical security world know this to be true, and most computer and network security people appreciate this as well.
I recently came across an exceptional article on Defense in Depth, written by famed security strategist, Kai Axford. I've had the chance to speak with Kai on a few occasions and it's clear from speaking with him that he's one of the most level headed, insightful and eloquent speakers for security computer networks today. If you ever have a chance to listen to one of his talks, you should take advantage of that opportunity. Kai's positions are thoughtful and he rarely shoots from the hip, and he's not out to get headlines -- he's out to help you learn how to get more secure.
However, with all that said, there's one area that I'm hoping that Kai will stay mindful of. If you go to his article Understanding Defense in Depth at http://www.microsoft.com/technet/community/columns/secmgmt/sm0608.mspx and check out the section Layer 3: Perimeter Security (Living on the Edge) Kai mentions Microsoft future plans on "Access Anywhere". This is related to a new technology Microsoft is working on that will make a computer's location immaterial in terms of participating in a particular Active Directory domain and the ability to obtain services in the exact same way as they would be available if the machine were directly attached to the network.
From what I understand of the "Access Anywhere" scenario, a computer can be a domain member and be centrally managed in the same way that a desktop machine bolted into the corpnet can be managed and secured. Of course, we can already do this with remote access VPN connections. The difference is that the "Access Anywhere" technology will take advantage of the fact that with IPv6, all network devices can be assigned what IPv4 refers to as a "public address" (referred to as "Global Addresses" in IPv6 lingo). Since NAT devices will no longer an issue with IPv6, there's no reason that NAT unfriendly protocols (such as Kerberos) can't be used from anywhere on the Internet. And combine this with IPv6 integrated support for IPsec, and you can potentially extend the corpnet to anywhere in the world without the overhead of a remote access VPN.
The problem, as I see it, is that the Bedouin machine that travels to hotel networks, unsecure home networks, conference center networks, airport networks, and any other unsecure network that you can imagine isn't quite the same as a machine that is bolted into the corpnet and never leaves the premises.
A lot can happen to machines that leave the corpnet. The machine can be stolen and have spyware installed on it without the victims knowledge. The spyware might even run in a sandbox that protects it from your corporate anti-malware software. Or the machine might be stolen and the intruder uses an offline attack to grab the user credentials, or some other method. Now the intruder has a fully authorized, fully managed machine to connect to the corpnet from anywhere in the world. Or perhaps the machine was connected to a network that had a zero-day worm on it. Since the machine is always connected to the corpnet, there's no lag time, such as when the user is required to establish a VPN connection to connect to the corpnet. In this scenario, the compromised machine will be able to immediately "share" it's compromised state with the rest of the corpnet.
The point that I'm trying to make here is that the upcoming "Direct Connect" technology (the underpinnings of the Access Anywhere scenario) should not be taken as a panacea. The security "quality" of a machine that leaves the corpnet will never be the same as one that never leaves the corpnet. The machine that leaves a well managed security environment will never be as "trustable" as a machine that has been promiscuous in itself network connectivity.
However, it could be that this discussion is relatively moot and that we already have a similar situation currently running now in corporate environments. For example, several large companies (which includes Microsoft) give their employees laptops that they can take home and take on the road. Then they bring their "low" security quality machines back to the corpnet. This scenario is essentially the same as the external computer in the Access Anywhere scenario, except that the compromised machines are brought in to directly connect to the corpnet.
So, if there is no way around this problem, what's the solution? Reperimeterization. I've talked quite a bit about reperimeterization on this blog, and you'll see more of this talk as the "Access Anywhere" technologies come to fruition. I'll talk more about this solution in a blog post later this week. But even more important to security in an "Anywhere Access" world is Defense in Depth.
"Access Anywhere" will create changes in the concept of perimeter security, but it will also require us all to be even more mindful of the other components of Defense in Depth. Let's just say that our lives as as network and security admins are looking at becoming more complex, instead of less complex, as users and business decision makers demand the convenience of true "Access Anywhere"
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)