This week’s editorial is sure to cause a firestorm with some in the security community. I’m sure my credibility will be attacked from all sides and I’ll be shunned by at least half the “experts” forevermore – because I’m about to question two sacred cows:
1) that there is no longer such a thing as a perimeter in network security, and
2) that “security through obscurity” is practiced only by idiots.
After spending the last week surrounded by other security professionals and hearing those two mantras repeated over and over, I decided it’s time for someone to offer a challenge. Unfortunately, security people seem to have latched onto these two ideas with absolute certainty.
First, let’s take a look at the new idea that somehow security perimeters have ceased to exist. This grew out of the very entertaining “Death of the DMZ” presentation introduced by Steve Riley of Microsoft a couple of years back. The point seemed to be that network boundaries are becoming less defined because of remote access, VPN, wireless access points, etc. And that was a good point – but it’s also a complex issue that has been reduced by many of Steve’s disciples to the simplistic chant that “there are no perimeters.”
That’s like saying that because more people now live in apartments and condos than on 100 acre walled estates, there are no physical perimeters anymore. Of course there are perimeters – in fact, there are now multiple perimeters. In some cases the boundaries have moved inward; just as you may now have control only over the space within your walls instead of all that acreage surrounding you, you now need to put more focus on protecting the host (individual computer) than you might have back when the internal network was more clearly separated from the Internet outside.
But the new model doesn’t mean that outer boundaries are gone completely. As the threat level has increases (both for networks and neighborhoods), we should be looking at more perimeter protection, not less. The fact that apartment and condo buildings must let many people into the common areas doesn’t mean they have to let everybody in. Gated communities use access controlled fences to keep out the casual wanderer. Are those controls perfect? Of course not – a determined intruder can sneak in on the coattails of an authorized resident or find out the key code through social engineering or even blow up the gate. But that doesn’t mean the perimeter controls are useless.
And neither are firewalls, DMZ networks and other protective mechanisms at the network edge useless just because they don’t, by themselves, completely protect the host computers inside. The “no perimeters” proponents seem to believe that any security mechanism that doesn’t provide 100% protection is worthless. The fact is that no security is ever 100% effective. If it were, legitimate users wouldn’t be able to get access to the resources they need.
This doesn’t mean we should just throw up our hands and give up on perimeter protection altogether. Instead, we need to recognize the importance of multi- layered, multi-level security strategies. We can’t expect the firewall at the network edge to create a LAN that’s totally safe any more than we should expect that living in a gated community means we don’t need to lock the doors of our individual homes. The edge firewall (and the gate) will keep out certain types of threats. Others, not so much. You still need to use mechanisms such as IP security, file level permissions, disk encryption, file encryption, Group Policy, wireless encryption and so forth to address all the perimeters present on today’s network.
Should you rely on perimeter protection for all your security? Of course not, just as you don’t rely on a locked fence to protect your valuables, but also put them inside a locked safe that’s inside a locked house that has a big, mean dog in the yard. But it’s silly to throw away one of the layers of your security plan just because it won’t do it all.
That brings us to our second topic: security through obscurity. This much maligned practice is mentioned in tones of contempt. It’s popularly considered to be not just worthless, but downright evil.
Of course, most of those who proclaim that only an idiot would practice security through obscurity are the same folks who’ll argue that it makes sense to use Linux or Mac, or to use “any browser but Microsoft’s” since it makes you a smaller target for the hackers. Isn’t that a form of STO? And if you truly believe obscurity plays no part at all in security, why don’t you flash your roll of cash when you’re out on the town? Why do you hide your expensive jewelry away in the bedroom instead of leaving it on the coffee table when you have a party? Why do you put valuables under the car seat or in the glove compartment if you have to leave them in the car, instead of leaving them out in plain sight to passersby?
In fact, such a fundamental security practice as keeping your password secret is a form of obscurity. The only thing that keeps an intruder from using it to log onto the network with your account is the fact that you’ve obscured it by making it long and hard to guess and not telling it to everybody.
If you say obscurity is a relatively weak form of security, I won’t argue with you. But to say it should be used in conjunction with other, stronger technological security mechanisms to increase the overall level of security makes no sense at all. As any police crime prevention officer will tell you, the real purpose of security measures is to make it more difficult for an intruder to get in. Everything that slows him down makes it more likely that he will give up and move on to a house (or network, or computer) that’s less protected, that he can get into more quickly and easily. By putting obstacle after obstacle in his way, you build security for the items you want to protect most – whether that’s your diamond necklaces or your sensitive files – one piece at a time.
What do you think?
Is protecting the perimeter hopeless so you might as well not even try?
Is obscurity useless so you might as well advertise your sensitive information in flashing lights?
Or do security specialists who advocate such theories do a disservice to those they’re supposed to be helping protect?
Let me know your thoughts.