Transcript secure applications

Surviving in a hostile world
 The myth of fortress applications
 Tomas Olovsson
CTO, Appgate
Professor at Goteborg University, Sweden
The view of the 90’s
 Modems are used for remote access
 The Internet is used primarily for email,
news and later also world wide web (www)
– 1994 there were 500 web servers
– 1995 there were 10,000
– 2000 there were 30,000,000
 Security?
– Private modem pools are managed and regarded as
secure enough
– A firewall is enough to protect the network from Internet
threats
– 1997: Question is what to buy: Stateful inspection firewall
or application level firewall [Rik Farrow]
Around year 2000
 Mobile devices are becoming increasingly popular
– Mobility: Computers move between networks
– virus problem
– Software: New software follow the tracks of
mobile computers
– Information: Internal information can easily be transferred
– Devices: USB disks and memories begin to see the world
 Internal security is now being addressed
– Not all devices are secure and trustworthy
– Malicious software cannot be allowed to spread freely
– Information cannot be trusted to all staff (“need to know”)
 The firewall?
– It is still probably doing its job as intended
Traditional Internal Security
Many networks lack
Firewalls
internal protection
Other are segmented
with firewalls, switches,
routers and other
equipment
Switches
Users
and
Servers
Routers
IDS
system
Users
Personal firewalls
WLAN
protect workstations
IDS systems monitor
traffic
Personal
FW
Large networks are beginning to be partitioned
Customer
support
Management
!
Accounting
Tech.department
Today – Devices
 Internal security is more important than ever
 Mobile devices are in everyone’s possession
– Devices will be moved to and from corporate networks:
Laptops, USB sticks, portable disks, phones, PDAs, …
– We should be able to check them before granting access
– Some devices should not be allowed
– Better control over internal information (authorisation,
access control)
 WLAN access exist on many places
–
–
–
–
Networks are extended outside the firewall
Traffic from the outside may not even pass the firewall…
Our users communicate – risk for wiretapping
Other users use them without our authorisation
 VoIP will be the next thing to integrate
Internal segmentation is even
more important
Firewall
Customer
support
Management
WLAN
!
!
Accounting
Tech.department
Today and communications
 The Internet has replaced modems for remote access
 All users have access to mail and www
– Companies without web servers do not exist
– Many threats to www (scripts, malicious software, etc.)
 We need to access data from other organisations
– Computers used to connect to ext. systems and share data
 Systems automatically connect to home servers
– Software updates, anti-virus, etc. (“phone home”)
 Users are located everywhere
– At home, remote offices, partners, customers, etc.
– Information must be shared – it’s a business enabler
 Applications (e.g. p2p) can be disguised as p2p app’s
– They use port 80 for “firewall friendly” access – no control
We can no longer hide behind a firewall
Home workers
Remote office
WLAN
Access
Outsourced
resources
Partners
THE COMPANY
Employees
Contractors
Suppliers
Consultants
Product
partners
Many complex solutions exist…
Users
Mobile users
with VPN
Firewall with
IPSec VPN
Internet
Push-email
system
SSL
VPN
Management dep’t.
IDS
Internal firewalls
Wireless
Network
Product
development
Servers
The problem with a Firewall-centric view
Mail
Web
VPN
Legacy
VoIP
IM
Legacy
Firewalls
Proxies
Firewall
Over time, the firewall
will have many holes
Remote access – a simple problem?
“VPN tunnel”
Firewall
Internet
Server
Server
Internal network
Remote
user
Corporate network
This is the same picture!
Firewall
Server
Server
Internal network
Internet
Remote
user
Corporate network
This is what we the firewall implements…
But once you are on the inside…
It used to be a modem…
Now we have:
• Mobile computers
• USB memories
• PDA:s
• Software
• Remote execution
• Internet access
• Remote access
• WLAN, 3G access
• www
• p2p
• VoIP
• mail, viruses
• hacking tools
• personal firewalls
• outsourced administration
• etc.
Protection must be where the assets are
Protection at the source

It does not matter how
you got to the inside!
This would be easy to implement –
provided...
 Each application server and client can protect itself
 There’s central authentication system for all users
– Applications should not have to deal with authentication
 And a distributed authorisation system
– Each project (data owner) can decide who can do what
– User roles must depend on authentication method, user’s
role, type of device, client location, time of day, etc.
 Applications are only visible to authorised users
Then:



No perimeter firewall would be needed (we would still keep it)
No difference between local access and remote access!
It would not even be necessary to have an internal network!
NAC – Network Access Control
 Goal: check the connecting device before granting
network access
– Non-accepted devices can be connected to quarantinenetworks where they can update software, etc.
– Some products may support identity-based access control
to networks
 Emerging technology initiated by many vendors:
– But with different names (McAfee, Microsoft, Symantec,
Cisco, …)
NAC – Network Access Control
 An interesting approach
– Vendor approach to solve the problem with disappearing
network boundaries
– Means that the problems mentioned here are recognised
 Requires an infrastructure on the network which
implements the protection
– Protection is enforced by the network, not the end devices
– Does not enable secure end-to-end communication with
mutual authentication
– May mean we get more point products to manage…
Network Access Control (NAC)
 NAC is complicated:
– Checks whether endpoints meet security policies and
updates configurations
– Checks for and isolates endpoints and users that have
made it onto the network and seem to be breaching
security policies
 Management is done from different platforms
depending on device and access type
– RAS policies would be enforced by a VPN gateway
– LAN user access enforced by switches and similar
equipment
– Does not offer mutual trust – just checking the
connecting device
Network Access Control (NAC)
 Forrester believes NAC is not the future
– Next version is PERM - proactive endpoint risk
management
– “Policy-based software technology that manage risk by
integrating endpoint security, access control, identity and
configuration management.”
What is de-perimeterisation?
(short version of the Jericho Forum approach)
 Move security control closer to the source – to
the end-points
 Be in total control of all users’ access rights
 Be in control of the connecting device
 Add policies that dictate how and under what
circumstances each user can access each service
 Make access ”seamless” and base it on
cooperation between applications and users and
the use of secure protocols
Move protection closer to application servers
The Jericho Forum Blueprint
 In a de-perimeterised world companies will have
more systems not connecting to “their” network,
but transacting via inherently secure protocols
 Tools: encryption, secure protocols, secure
computer systems and data-level authentication
 User access can be granted based on his/her
identity, authentication strength, location, time,
type of device, etc.
Drivers: Cost, flexibility,
faster working
Full de-perimeterised working
Connectivity
Drivers: B2B & B2C
integration, flexibility, M&A
Full Internet-based
Collaboration
Consumerisation
[Cheap IP based devices]
Drivers: Low cost and
feature rich devices
Limited Internet-based
Collaboration
Drivers: Outsourcing and
off-shoring
Today
External Working
VPN based
External collaboration
[Private connections]
Effective breakdown of
perimeter
Internet Connectivity
Web, e-Mail, Telnet, FTP
Connectivity for
Internet e-Mail
Connected LANs
interoperating protocols
Local Area Networks
Islands by technology
Stand-alone Computing
[Mainframe, Mini, PC’s]
Time