filtering

You are currently browsing articles tagged filtering.

Mobile workforces and security, changing the way we should think of our networks?

September 11, 2009 in security by Daniel Nyström | No comments

Network segments

Administrators tasked with creating a mobile platform that’s not only is reasonably secure, but also keeps internal resources safe from it might be scratching his head. Smaller organizations also have restricted budgets that prevents them from purchasing high-end security solutions to handle this. Larger organizations often turn to solutions like Microsoft NAP to ensure the integrity of clients entering the network, but in my opinion that kind of solutions are fundamentally flawed.

NAP (as an example) just verifies that a client fullfills certain requirements such as an up to date antivirus signature, full set of patches and other (known) criterias.

So what? What does that mean to the integriy of a machine? If a machine is infected or compromised in any way, it is because the existing protection measures obviously did not work. The network is still at risk because of that client and that’s not going to change just because the machine is compliant with a policy that has been based on verifying known factors.

Keep in mind that the amount of malware now hitting viruslabs all over the world is approaching 35 million samples per year, and keeping signatures and heuristic measures fit to tackle that problem is a hard job. Some would even argue that it’s impossible (altough I would not, we’re getting closer). Security simply cannot be measured in patches and signature file dates anymore.

So what can you do to handle the threat of mobile workstations, USB-sticks, PDAs, phones and other mobile devices?

I’ve thought about this for a while and came to a pretty simple conslusion:

Just assume they’re all compromised, and design your service and security architecture based on that assumption.

Internal networks are often considered secure, or at least semi-secure, environments in which people are authorized to use certain applications and access certain data in a way that assumes that the clients are not compromised.

In this kind of environment a worm outbreak often has a severe impact as it can spread quickly throughout the network. Attacks often become more serious than they need to be because restrictions, if any, are very loose and often modified to suit “ease of use” instead of security.

And why shouldn’t they be loose, the clients are secure, right?

The idea I’m trying to get some practical tools to fit into, is to consider all network segments as compromised except the one(s) actually holding the data that you need to keep secure.

In this model you could, for practical reasons, keep the perimeter around the internal network and other segments. One might even do some or even extensive content filtering of network traffic at that point. From a data security perspective, this net should still be considered compromised though as there’s no real way to ensure its integrity.

The only part of the network to focus your security measures on would be the “Data storage and application serving”-part. How you could do this is a practical thing, but you should avoid removing any data from that environment. The practical part of handling this could of course vary, but one could serve data to users in the local network by utilizing terminal services and/or more secure solutions such as Appgate SS. Using web-based (internal) versions of CRMs and other things might be something as well.

You should still do encryption, antivirus, firewalling and possibly DLP on the clients. But that is kind of secondary as long as your application and data access structure is constructed in a secure fashion. VPN connections from the outside world (Internet etc.) would of course terminate in the local network and be subject to the same filtering as other devices in it. Maybe remote clients application availability should also be the subject of further restrictions.

I’m not exactly clear on the details but I’m getting there. An increasingly mobile world needs security measures that’s adapted to this situation, not that are stuck in the old world of stationary devices locked in a specific part of the network(s).

Many organizations do stuff like this, but often in a limited manner and not with the same philosophy in mind. For example shielding servers in one network from the clients, allowing a subset of them access to certain places. Those with access are considered trusted and the data is still spread between servers and clients.

What I’m getting at is that people should try to make their own application and data servicing work like online, “cloud based”, services such as Google Docs, SalesForce etc. instead of using applications and handling data locally. Sure, they could use those actual products, but then they’re lacking control over their data and for some that’s just as bad.

Client machines is not to be trusted, and that is important to remember.

I’ll post some more on this, and try to give some practical suggestions, when I’ve wrapped my head around this a bit more…

Tags: , , , ,

Australia VS. The Internet

October 28, 2008 in censorship, democracy, networking by Daniel Nyström | No comments

Australia
Photo: mugley on Flickr.

For those that doesn’t know this already, Australia is one of the countries that are actively filtering and censoring the internet. They are doing this to “protect” their citizens from the big bad wolves that reside in the internet tubes without giving their citizens liberty even a second glance.

Read this on the Australian security firm Sûnnet Beskerming’s blog:

“In the lead up to last year’s national election in Australia there were a range of promises made by the incumbent government, under the name NetAlert, which was reported to be for a range of projects including Internet blocking software at the user end, tracking down online predators, and filtering of traffic on the network.

It seems that the new government has now taken the proposals one step further, moving to enforce the legislation that they pushed through at the start of this year. At the time of the NetAlert announcements, the opposition (now the government) were seen to be tacitly approving of the initial presentation and the Labor party had previously been ridiculed over their approaches to, and ideas of, online censorship.

Although the Federal Government has promised to listen to “the best advice”, it seems that they are only listening to the advice that validates and otherwise affirms their approach to online censorship.”

[...]

“There can be no other way to put it other than to suggest that these efforts are being pushed through out of an ignorance of the structure and nature of the Internet, even when accurate information is readily available.”

It’s really frightening to see how fast things can go bad. So far we have not seen this kind of lunacy here in Sweden but it feels like we’re getting there.

The internet’s content is not to be controlled by any unique institution or governing organization, as the whole idea of it is then lost. The Internet is a place that should be a free, unbiased, space for information of all kinds from all sources. Sure some will be hostile, but this is not a reason to filter it.

Doesn’t the Australian politicians relate what they’re doing to what dictatorships are doing? Can’t they see that they’re heading down a very dangerous path by restricting free speech? Besides this being a anti-democratic thing, remember that a society that closes on itself and censors it’s citizens never can evolve at the same speed as the world surrounding them, and therefor the country will suffer both economically and culturally.

The Internet was born free and should remain that way. If we can’t do that, then the whole idea behind it is dead and it’s time to form a new network.

Are you with me?

Tags: , , ,