Perimeter security is brittle, inflexible, complex security.
You have to have
understanding of the semantics of an application at the
perimeter to check
whether the operation is allowed - which is bad so many ways
I don't feel
like listing them all.
It is only useful in my view if you have a human expert monitoring
the firewall 24x365. That is what we do as a managed service. But
you also need all the intrusion detection, patch management etc.
I would like to go deeper into the corporate nets, but the customers
rarely let this happen.
Generalize to all security
problems caused by bugs in applications. And there are lots
and lots and lots
of lines of code to find bugs in.... Yes, the bad guys aren't
using that
technique at the moment - because they don't have to. When
the easier holes
get plugged, they will.)
In a conventional installation there are twin firewalls and the
mail server along with all the other external services is
situated in the DMZ in between.
It is not proof perfect of course, people keep knocking holes
in the perimeter, and don't get me started on viruses. But we
can usually detect when a machine on the internal network
has been zombiefied and shut it down.
To make it work well you need to have network wide information.
We combine information from all our NOCs and SOCs so that we can
be pro-active.
The firewall by itself does not provide much value.
The CS community *was* on the right track for the real
solution - about
thirty years ago, with Multics' AIM boxes. We made a bad
mistake when we saw
workstations as "personal machines, so we don't need any of
that security
stuff".
I would like to put protocol enforcement modules into hubs.
I like the idea of separating network security into a different
device to the workstation - gives a much more secure trusted
computing base.
As soon as you connect your "personal" machine up to a
network, and start
interacting in any but the most basic ways, it's not
"personal" any more.
Hell, we should have learned that lesson from floppy viruses.
Yep, it is really funny hearing the Mac guys smuggly saying that
there are no viruses on Mac...
And don't get me started on the
ignorance/cupidity/stupidity/arrogance/etc of
certain software companies who distributed applications which
basically
downloaded arbitary chunks of code from the network and ran it...
Hey they were signed chunks of code!
Actually the problems we have had from ActiveX and Java are considerably
less than from Javascript and worst of all click to execute malicious
code in email.
If you are going to launch applications Windows had all the machinery
built in from day one to do it safely. You create a subprocess and
remove the privs necessary to attack the host machine.
And just why do we allow untrusted code to modify the O/S boot path?
The spammers are not sending out viruses, they are blasting out spam
that contains a trojan. No need to bother reading address books any more!
Phill