Herb Caen once said "There are more of them than us."... Sure seems to be a lot of identities stolen online... Wonder how many of them actually turn into real world theft?... Never seem to hear much about that part of the problem... Could it be that there is just more coverage, rather than an apocalyptic problem?
Great show on WTMD, called Clear Reception, hosted by Sheri Parks... She recently had on Andrew Bird, who has a new album out... It's called "The Mysterious Production of Eggs"... Many tie-ins to security ... There is a security fad that comes along every few years... The latest version is called "deperimeterisation" as put forth by the Jericho Forum... The idea being that since so many things cross enterprise perimeters (like laptops) that what the heck - off with the perimeter's head!... Sort of like storing eggs without their shells - gets a bit messy... All those services sitting exposed to the perils of the Internet... The SANS Internet Storm Center gives you about 27 minutes surviving that... Seems to me there is much need today for stronger and more efficient perimeters...
Top song of the album is "Fake Palindromes"... Bird has lyrics that are really long and aren't really palindromes - but it is too hard for most people to check to see if they are or are not... Sort of like public key cryptography... Maybe you could figure out what really large prime numbers were used to create the keys... But it would take forever to do so - you'd have to be immortal... Which brings us back to another Herb Caen quote: "The only thing wrong with immortality is it tends to go on forever."...
Added bonus Caen quote: "Cockroaches and socialites are the only things that can stay up all night and eat anything."
* * *
Seems like your being hard on the Jericho Forum folks.
It is not just about laptops cruising in and out of the perimeter... We have VPNs with remote PCs on unknown networks, site to site VPNs with networks of questionable perimeter security (connected to who and how knows what), SSL VPNs that are really tunneling network traffic, web services that run a variety of protocols including method bearing payloads, other RPC connections (OWA and Sharepoint), unsanctioned remote access by heavily advertised products like GoToMyPC, Instant Messaging that can also do other neat tricks like desktop sharing, WebEx for sanctioned desktop sharing, certainly most spyware is stupid and pathetic and easily stopped from phoning home - but what about something that is clever enough to honor any IE proxies and tunnel in HTTPS, and SSH is handy for some very cool tricks.
Seems to me like the economics of deperimeterization has already laid the issue to rest.
Posted by: Stuart Berman | 18 April 2005 at 10:48 PM
All those issues are being dealt with already and have been for several years. Scan and block was an early method, used by Sygate and Zone Labs and InfoExpress. Whole Security took it a few steps further, then Cisco came out with Cisco Network Admissions Control and Microsoft with Microsoft Network Access Protection.
In the wireless LAN world, the 802.1x standard advanced, with the underpinnings of how to do standard security checking upon connection to the network.
Then the Trusted Computing Group formed the Trusted Network Connect group and they have put together some draft standards to be the open standards counterpart to Cisco's proprietary CNAC and Microsoft's proprietary MNAP. Then, last October MSFT and Cisco said they were working together to rationalize their two proprietary approaches onto a standard approach - we'll see about that one.
But the bottom line is that this has all been going on before and during when the Jericho Forum was talking about "de-permiterisation". So, I may be being too harsh on their goals, but the term is silly. All the efforts I discussed above aren't saying "no more perimiter, lets depend on the endpoints to do their own security" - they are saying "what standard mechanisms can we use to judge the security of an endpoint to determine what, if any, access we give it to our network." Not so cute a title, but much more effective in the real world.
Posted by: Sec Nerd | 19 April 2005 at 05:48 AM
"Added bonus" was one of my father's favorite tautologies. At least you did not say "Extra added bonus". :-)
Posted by: Stiennon | 22 April 2005 at 02:45 PM