Wednesday, September 12, 2012

The Best in Practice

If we are charged with designing, architecting, implementing, deploying, integrating, training and supporting security technology, processes and policies within our organization, we might discover that this work is really an art more than a science.

Anyone can go out and purchase a solution to provide anything from firewalls to antivirus.  Once those solutions are installed we might be tempted to sit back and be overwhelmed with a sense of security, knowing we've locked out all the potential intruders.  But I would caution anyone who might feel this way, and offer additional advice on how to best practice information security in your organization.

First of all, we can never be satisfied or comfortable with any one technology.  A firewall is simply a port-blocker.  If source-destination-allow-deny-port-whatever.  The firewall will either allow traffic on a port or block it.  If it's open, a standard firewall makes no further inquiry into the traffic - it's considered trusted at that point in your infrastructure.  

So if I allow inbound port 80 traffic to a web server, my firewall is basically opening the door from the Internet to my web server on that port.  All traffic is inspected - if it's knocking on the port-80 door it gets to come in, just like a visitor who knocks on my door - I just let them in.  I don't frisk them, I don't check their pockets, I don't ask them what they have in their bag or what intention they have.  I just let them walk right in.

The firewall does the exact same thing - so it might be "trusted" from the firewall's perspective however we must realize that "trusted" traffic through the firewall can also be malicious traffic.  Nothing says an attacker can't use port 80 to attack you - it happens all the time.  The point is that this isn't the job of the standard firewall - to determine if that traffic is malicious or not.  It is just a port-blocker - port 80 is open or closed.  That's all the firewall does.

When I give presentations to new hires at my organization, I ask them what information security is.  Many times someone will say - having a firewall.  The perception is that if you put a firewall in place, you're secure. That's as false as saying if I put a lock on my front door, no one can break in my house.  

What we must do is understand the function and purpose of our tools and solutions, understand the risks, and then fill in the blanks.  We must fully understand what a firewall is, what a firewall does and what it does not do, understand what sort of risks we are facing, then put other pieces in place to supplement that basic level of security - that front-line of protection.  We might implement an Intrusion Detection/Prevention solution to inspect the "trusted" traffic coming across port 80 into our network - the firewall's job is to allow it - malicious or not.  Then the IPS tries to determine if that "trusted" traffic is just web server traffic or a signature or behavior which indicates a high possibility that the traffic, while trusted, shouldn't be allowed.  Therefore the traffic will either be blocked and/or alerted on.

Once we get this holistic view of the threats and ways to protect our organization, the practice of information security goes all the way to the endpoints.  That is, we find ways to integrate all of our solutions into one organic concept.  Like layers of an onion, I don't look at my security infrastructure as 15 different pieces.  I look at it as a whole, a complex but interacting web of layers, each of which have a purpose in the big picture.  I might be able to see a botnet from my antivirus logs, my web filter logs, my intrusion detection logs - if I have everything set up correctly I will know about this sort of risky traffic, be able to respond in a timely manner and safely restrict or block that traffic without any disruptions.  

This is sort of an introductory piece - we can go so much deeper.  However I wanted to set the table properly - I would love comments on creative and effective ways you utilize your infrastructure to protect your organization.