"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

---

Author: Philippe Langlois
Contributed by Solsoft, Inc.

Two seemingly contradictory movements have recently appeared on the IT landscape. On the one hand, several major corporations are collaborating in an attempt to remove business barriers like superfluous firewalls between them. An example is the Jericho Forum, under the auspices of the UK-based Open Group. Companies such as BP, Royal Mail, and ICI bring together the latest thinking on user-driven approaches to security: radical externalization, boundary less network security, and de-parameterization. On the other hand, many large corporations have begun to implement strict internal partitioning and segmentation, using appliances such as InterSpect from Check Point and the NetScreen firewall product line. The main objective of this latter trend is to prevent internal worm outbreaks due to "network bouncing" from external DMZ networks to critical innermost network segments. Though they appear to be heading in different directions, these two movements actually share the same goal: refining the granularity of network zone definition in the enterprise network.

There is no external and internal, no black and white, there is only a spectrum of grays that you now must control much more tightly.

Global Opening 

The changes in organization that characterize our current economy lead to continuous changes in network perimeter definition, firewall rules and configuration in the large enterprise. From new services and outsourcing to joint ventures, mergers, and acquisitions, change is everywhere. Such a dynamic environment encompasses the trend to deliver Web-based application services using well-known protocols and technologies like HTTP and SSL. Access control is then established with authenticated user sessions, letting everyone pass through the network level with an "open" firewall and blocking individuals at the application level by means of authentication. This new approach to application delivery can be seen at early adopter sites such as Nike and Boeing. Indeed, Web applications can even provide core services such as SAP ERP or BMC Remedy Help Desk. The flexibility of such Web applications motivates the need and the will to open up the company to the external world. The Jericho Forum strives to encourage this trend, especially in cases where strong collaboration between different organizations is required. The radical security change here is in the kind of granularity that is needed. Traditionally, a sizable set of new network services had to be enabled for any rich client to connect to the application host within the enterprise. Now, with the explosion of thin client architectures, only Web-based application services are required, but from multiple origins and within different networks, defining a more varied set of "trust colors" or "trust zones". The "what service do I let in" question is less important than questions like "who do I let in?", "when should this person be able to connect?", and "for how long will this rule be valid?". The difference is also that the entities allowed in for a particular access will change over time. It is clear that the challenge for network administrators and IT security professionals has become a management problem rather than a technology problem.

Evolving Attacks At the same time, worms and viruses are becoming more sophisticated and aggressive, propagating rapidly through the network like Code Red or even worse, Slammer , and using several vectors of infection like NIMDA or BugBear. Recent outbreaks of internal worm propagation proved that you cannot expect one zone to be 100% trusted. And the single perimeter defense, even dual-fenced, was proven useless in this case. For example, the NIMDA worm could infect a vulnerable Web server, then from its new location on the DMZ, infect some local Windows share, and jump from host to host to the internal network. Some industry experts surmised that these worm outbreaks demonstrate the inadequacy of firewalls. Actually, these incidents only showed that firewall rules management as it is typically done is inadequate. In fact, firewalls are specifically needed in these cases and require tighter configuration to allow only what is needed for a specific service, a practice also known as "deny by default". For example, with the NIMDA worm, Web servers should only be able to receive Web requests and the necessary IP protocols (DNS requests and response, SSH or FTP incoming connections for Web content upload, maybe ICMP "ping" for troubleshooting) and should be prevented from exchanging any other kind of traffic (including Windows shares, outgoing FTP or SSH) with any other host. Such a security rule would have prevented mass infection with NIMDA, confining infection to the DMZ. There are reasons why basic security principles such as "defense in depth" and "deny by default" are not applied. Defining such tight security rules for each service on each firewall is tiring when done by hand, much more tiring than, say, an "allow all" rule between all internal machines. Deny by default combined with defense in depth makes firewall administration much more difficult, even when using the vendor's management client. This process cannot be done by hand, even with a homogenous set of firewalls, due to the number of rules that are needed to correctly achieve defense in depth. Everybody likes a "once for all" approach; however, when aiming for tight security, you are going to allow HTTP on the Cisco border router, then once again only HTTP on the Check Point corporate firewall, then once again HTTP on the PIX DMZ firewall. This is only for the Web server and yet, learning the different configuration dialects and metaphors of each vendor can cause headaches. You'll likely have several other servers and traffic types to allow, and the "deny by default" principle will force you to reconfigure several devices each time a new service is requested by a user or offered by the company. This dynamic is not at all in contradiction with the Jericho approach because you will still enable global access to different "grey" zones of your company, yet you will be in control of what you're letting through.

Service Oriented Architecture (SOA) and Network Orchestration 

We are also migrating toward a network organization that is increasingly comparable to organic systems or urbanism. We now speak of "urbanizing" an information system by orchestrating Web Services to achieve a particular business need. In the past you would allow incoming access from Reuters or other financial data providers through proprietary or at least specialized protocols; now you can expect to have this information delivered through .NET remoting, XML-RPC calls, or SOAP. These new standards are still being defined, and with SOAP for example, authentication is still most of the time left to the developer as a (tough) exercise. Thus, Web Service users are often still forced to rely on source and destination IP addresses to restrict access to some services, even if it is using an encryption layer such as SSL for transport. Access Control granularity needed here leads to a wider variety of trust levels (or shades of grey) instead of the black/white, internal/external perimeter definition. As we've seen earlier with the "Radical Externalization" or "Global Opening" dynamics, SOA promotes a greater opening of the company's perimeter and, at the same time, requires tighter control of the network traffic and a finer definition of zones and relationships between network hosts.

Security Governance 

As a result, network security practices are changing, but not so much on the technology side as on the management side. Of course, nowadays, firewalls have changed: they provide deep packet inspection, intrusion prevention systems, and stateful inspection. But these are addressing specific technical problems. What we've seen earlier is that the number of security rules and the frequency of changes in your firewall configurations are increasing, driving the need for new ways to understand and manage your perimeter defense as well as your internal partitioning, as well as new tools to organize your security policy definition. This management issue is certainly the least addressed problem of the firewall market. As companies begin to tackle the management problem, the need to deliver is so stringent that the pressure on security staff can be pretty high. Issues have to be tracked and to be solved in a timely manner. The organization of the IT security group is therefore changing, acting as a service to all company business units and aligning itself with the business imperatives of the enterprise. Change management, policy, help desk, and workflow systems are being integrated to automate the security process and to enable real security governance. With these changing conditions in mind, we have been working to integrate Solsoft Policy Server with help desk, event correlation engines, network management solutions, and intrusion detection systems using a Web Service API. The goal of our efforts is to facilitate a complete and affordable security governance system where customers can leverage Solsoft’s policy management platform alongside existing security management solutions, including commercial products such as BMC Remedy or ArcSight TruThreat, or free open source software like Request Tracker or SNORT. Indeed, the variety of Web Services libraries makes interoperability possible with nearly any kind of IT system, including billing and request tracking systems. Closing the loop with the needs of end-users is the only way to have a working security process and to ensure good security governance. A ticket opened by an end-user will trigger a chain of events, including firewall policy modification with Solsoft Policy Server, and will finally end up back in the help desk or ticketing system to inform the requester. Without such processes and tools, it is hard to see how network administrators can keep track of all needs and at the same time master the ever-changing configurations of new devices (be it command line languages for routers like Cisco’s or graphical interfaces for firewalls such as Check Point FireWall-1). Even with the proper tools, automating security tasks by integrating existing IT management solutions within the company becomes vital to face the deadlines and the challenges of the new enterprise organization.

Philippe Langlois Senior Security Architect for Solsoft joined the company as Security Architect in 2004. He has proven experience in network security research. He founded and led technical teams in several security companies. He founded Qualys and led the world-leading vulnerability assessment service delivered as an application service provider. He founded the computer and network security company Intrinsec in 1995, as well as Worldnet, France's first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books and has been giving speeches on network security since 1995.