Radovan Semančík's Weblog

In the last posts I've written [1] [2] about inherent security problems of current information technologies. Today I want to write about possible solutions.

To make the long story short (a.k.a. "Management Summary"), I can see no short-term solution at all. If we work really hard, we can have at least some security in the first half of next decade. But I really doubt that.

And now the full story:

Perimeter security does not work. Firewalls are not effective. And I believe that they cannot be made effective and practical at the same time. We should not rely on firewalls for providing host security. Hosts should be secure on their own. Especially mobile hosts, because these cannot count on firewalls protecting them. We should re-engineer the operating system to build security into their network layers.

Workstations are insecure. Anyone can do anything. Any process can ruin system security. This has to change. Operating system should not be designed to "just work", but has to support non-functional requirements also - such as security and reliability. Some features of multi-level secure systems should be also implemented in the conventional operating systems. Well, it may be a little bit difficult to figure out what features to migrate and how to implement them to be usable. But I believe we can figure it out. Sooner or later. Probably later than sooner.

Windows Vista may be heading in the right direction (*). And it looks like Microsoft is quite alone in the effort. But I'm not naive enough to believe that the security can be done right anytime soon. It will take a lot of thinking, designing and testing. And that testing will be done on real customers, I suppose, like you and me. I think that first release of Windows Vista will not be much more secure than the current operating system. Because for the system to be secure, all must be changed. The approach, the technology, the people. And that will take a long time.

I would not expect that we will see any widespread secure operating system until 2010. 2015 or even 2020 are more probable. But at that time, the low-level software that runs on computing devices may not even be called "operating system" anymore.

(*) It's really ridiculous that such a strong oponent of Microsoft approach like myself states that Microsoft is doing something that is heading in the right direction. Well, I would gladly admit that I was all wrong, and that Microsoft is really great technological company. But I have a strange feeling that somehow the things are not all that ideal. The time will tell.

I estimate that at least 95% of all workstations used in home and enterprise environments are insecure. I do not mean insecure like "there's a hole in the OS". I mean insecure as "not designed to be secure".

Consider a common Windows XP workstation. How difficult is to infect it with a virus? Teenage kid can do that. How difficult is to steal data from a PC that is left unattended? Usually as easy as "reboot and insert USB key". How difficult is to steal a password of a user? As easy as "install a keylogger" (use virus, if neccessry).

Attacking the workstation is the easiest way to get what you want. The workstations are the second weakest part of any system (the weakest part is that thing that usually occupies space between the chair and the keyboard). Curent workstations were designed for usability, not for security. Any application can write on entire screen. We need that, because we want full-screen games and screensavers. Any application can read keyboard. We need that, as we want all the fancy pop-up thingies and devious keyboard short-cuts. Most of the applicatons can read and write anywhere on the filesystem. We need that because we want to make software installation and maintenance as easy as possible. That means that any application can do almost anything. Mix that with ineffective network security and low quality of standard software products ... what do you get? Disaster in waiting.

That's scary. And the most dreadful thing is, that some people try to build "secure" systems in this environment. They venture to make legally-binding digital signature on such platforms. They store classified information. They process personal data in large quantities. And they have the nerve (or ignorance?) to call these systems "secure".

This is the last entry from the "all sucks" series. I promise. I will write more about possible solutions next time.

To have a "Perimeter Security" you need two things: a perimeter and a security.

Let's think about the "security" part of perimeter security first. The most common device to use there is a firewall. Firewall. The word much abused nowadays. Seven years ago I wrote a paper (sorry, Slovak language only) providing an overview and evaluation of network security mechanisms. I tried to make a clean distinction between "application-level gateways" and "packet filters" there, and especially the ability to see and understand network protocols. All of these different shades of gray are called "firewalls" now. The security industry evolved towards ease of use, not towards security. And nobody really seems to care much about the distinction anymore.

Back at InfoSeCon conference, Marcus Ranum had an excellent presentation about firewalls. He presented the reasons while today's firewalls do not work. I can agree with him completely. Current firewalls do not enforce protocol correctness. Yes, they understand some of the protocols (like FTP or HTTP), but that is primarily to allow them pass, not to restrict them. Yes, the firewalls can do URL filtering, antvirus and so on ... but those are "enumerating badness" approaches that does not really scale. Firewalls are designed to pass traffic, not to block traffic. That's not quite the right approach for a security device, is it? One way or another, there's no considerable security in a firewall any more.

Let's look at the "perimeter" part of perimeter security now. We are at the beginning of the age of mobility. It is a common thing to work at home, to read your mail anywhere, to browse Internet using a mobile phone. In a world like this, can you tell where your perimeter is? Does it only cover the network equipment you own? Does it includes all the portable computers that your employees use at home? Does it include yor CEO's notebook connected to some strange ISP in a hotel room somewhere near the end of the world? Does it include a WiFi network created by misconfigured PC of one of your employees? Does it includes mobile phones? And what about fridges, TV sets and toasters? ... Only one thing about the network perimeter seems to be certain: it does not copy the edge of your network.

Now we can see that we do not have security. We do not have perimeter either. Do we have perimeter security?

Disclaimer: I'm not trying to tell you to scrap your firewall as an unneeded piece of old junk. The firewalls are still needed to maintain a minimal level of protection at the very least. I'm just trying to tell you, that the protection that the perimeter security approach provides is just that: minimal.

It does not work. More exactly: the deployment of single, unified directory system for identity management purposes in a medium-to-large sized enterprise environment is infeasible. At least in next few years.

I've seen to many failed attempts to implement single directory system. I can understand the motivations, though. I can see the clean architectural intention to "clean-up" the data stores and unite them in one place. That is usually a good thing to do inside a systems. But not necessarily accross different systems.

The most severe problem here is the incosistency of the data:

• Inconsistency of identifiers. One system expects user identifiers based on employee numbers ("nl123456"), other application expects surname-based IDs ("semancik") and yet another application has freeform identifiers ("rse"). In theory you can store all of the IDs in one directory record. The "uid" attribute is multivalue, no problem. But only few applications support that in practice.
• Inconsistency of access control. One application makes access control decisions based on LDAP groups. Other uses roles native for Sun Directory Server. And most applications does not really care and base access control decisions on their own proprietary attributes.
• Inconsistency in object structure. Different applications have different ideas how the object should look like. Each application is likely to define its own structural object class for the data. There may be only one structural object class per entry. Well, now we have to re-engineer the LDAP schema to use auxiliary objectclasses. While the should be no difference for the application, some applications will not run. The rest may run, but the vendors may claim that the warranty and/or support agreement was broken and that they will not provide support or will support that setup only in case they are "motivated" by astronomical support fee.

There are also other issues to consider:

• Directory server is not an authentication server. While the directory system can validate user password, it should not be considered an authentication service. The features of directory server are very limited in this area, usually limited to what SASL can provide. The correct approach would be to deploy an authentication server that will store data in the directory server. And use directory server only for the purpose it was designed: a database.
• Directory server is "statless". Well, it's weird to talk about a database being statless. But from the user authentication point of view the directory is stateless. It does not (and really should not) keep user sessions. It does not know it the user is still logged in. In fact, it does not even know if the user had logged in. Yes, it might know if the user had supplied correct password, but that may be only necessary, not a sufficient condition for authentication.
• Deprovisioing of stateful applications is a major problem. From the security point of view the deprovisioning (deleting of user accounts) is much more important than provisioning. And directory-only deployment cannot do deprovisioning of stateful services. For example user home directories, mailboxes, etc. If you route all your authentication through directory server, the user may not login anymore. But the state will remain. Will take place, harmful content (maybe accessible by other users) may be there. Or maybe even backdoor ...

The conslusion is simple: you need directory system, maybe even single directory system, but you will need other tools also. The user provisioning system is the tool that you will most probably need. And unless you have totally crystal-clear enterprise architecture, there is no way around it.

This was one of the points of my presentation at InfoSeCon conference. You may find the complete paper on my "papers" page.

InfoSeCon 2006 conference is over. It was really great conference with unique atmosphere. The opportunity to talk in length to other speakers and to share the ideas was priceless. I also appreciate that the conference was vendor-neutral. That's something that we cannot see that often in our longitude. It was unquestionably the best conference I've attended in Central/East Europe.

The presentations and discussions with other attendees provided a lot of insight and tons of material for toughts. I will follow up with more in depth meditations later. Now I only want to present the overall "look & feel".

Marcus Ranum perfectly summarized current state of information security in two words: "all sucks". That's exactly what most of the presentations were about (including mine) - at least partially. Firewalls do not really work, workstations are insecure, it is really difficult to get the security management processes right ... nothing really helps. But what is even worse: nobody really know what to do about it.

There was a lot of good presentations focused on methods to get the security processes right by the "risk managament" folks. Marcus Ranum talked about the fallacy of "generation 2" and "generation 3" firewalls, while hinting about what went wrong and what can be done about it. There was an excellent presentation by Vince Gallo describing the promise and limitations of security system of Windows Vista. But one way or another, no satisfactory short-term solution seems to exist.

Maybe we should call this the "Security Crisis" ...
(gee, I hope haven't I just created a new buzzword)