Re: Thoughts on Jericho Forum

[Deke Kassabian <deke () ISC UPENN EDU>]

--On Thursday, June 14, 2007 8:33 AM -0600 "Lovaas,Steven"
<Steven.Lovaas () COLOSTATE EDU> wrote:
> Endpoint security is a great idea. Deployed as part of a strategy of
> defense in depth, client-based security measures strengthen the
> entire system.

I'm generally a fan of Defense in Depth, too.  But that doesn't
necessarily mean that I'm a fan of perimeter firewalls.  I am, though,
a fan of adding detection and light filtering to networks layered into
excellent endpoint security.

> But I would caution about going too far down this path too quickly.
> Relying solely on one tactic opens you to vulnerability when that
> tactic proves insufficient. I'd compare it to the realization that a
> safe in your bedroom is a lot harder for a thief to defeat than the
> lock on your front door. Does that mean that, once you purchase a
> safe, you no longer lock your front door at night? I don't think so;
> perhaps it DOES mean you don't have to buy a much more expensive
> alarm/deadbolt system for your front door.

Analogies can be useful.  They can also sometimes mislead.

What if we move bedroom -> front door, and front-door -> city limits.

Now it reads:
Does that mean that, once you purchase a front door lock, you no
longer lock the gate at the city limits at night?

Does this change how the analogy makes us think about perimeters?

^Deke


> Microsoft has been touting this approach of hardened endpoints,
> ubiquitous authentication of traffic, encryption where required, and
> intelligence on the client. But Microsoft sells computers, so it
> makes sense for them to focus on that aspect of security. And that
> works great when all of your clients are Microsoft machines and are
> under enough of your control to have the relevant policies and
> agents installed.
>
> Lacking that kind of standardization and control, it makes sense to
> also have some sort of network-based protection. Whether that's NAC
> or departmental and border firewalls or network IDS or a mix of all
> these, depends on your environment.
>
> I love that Jericho and other folks are talking about these
> concepts, and in a small, controlled environment their suggestions
> would probably work great. I'll keep watching them...
>
> Steve
>
>
>
>
> ==============================================
> Steven Lovaas, MSIA, CISSP
> Network Security Manager
> Academic Computing & Network Services
> Colorado State University
> 970-297-3707
> Steven.Lovaas () ColoState EDU
> ============================================
> -----Original Message-----
> From: Bruce Curtis [mailto:bruce.curtis () NDSU EDU]
> Sent: Wednesday, June 13, 2007 4:55 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Thoughts on Jericho Forum
>
> On Jun 13, 2007, at 5:15 PM, David Morton wrote:
>
> > Lately we've been engaged in some conversation about the Jericho
> > Forum and their thoughts on security.
> >
> >
> >
> > Key issues such as the ineffectiveness of traditional perimeter
> > defenses and encryption have rang true for a long time.
> >
> > Have the principals of the Jericho Forum been discussed at your
> > organizations and if so, what has come out of those thoughts and
> > discussions?
> >
> > David
>
>
>    Yes, we agree about a lot of things with the Jericho Forum.  We
> have no perimeter firewall and our video sessions work great, and
> our multicast and IPv6 connectivity works great also.
>
>    We have a couple of departments that are using Native Transport
> IPsec and it has been working well so far.  Which isn't a big
> surprise since Microsoft has been using it for 200,000 plus
> computers for quite a while.
>
>
> http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49636
>
>
>
> http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49593
>
>
>    http://www.microsoft.com/technet/itshowcase/content/
> ipsecdomisolwp.mspx
>
>
>    We haven't done it here yet but a University 60 miles away has
> installed a host IPS on all of their computers.  To me that is a
> much more efficient use of security dollars than spending money on a
> device at the perimeter.  At least one of the Host IPS packages that
> I have kept an eye on has protected from every Microsoft
> vulnerability due to buffer overflow since I started looking at the
> issue.  And that is protection before the vulnerability was found,
> reported, announced and finally patched.
>
>    In our environment we have thousands of laptops that leave campus
> every day, go who knows where, and then come back.  Even if we had a
> firewall  only one click on any single host on the network can lead
> to that host being compromised and then it could scan the entire
> internal network.
>
>
>
>   ---
> Bruce Curtis                         bruce.curtis () ndsu edu
> Certified NetAnalyst II                701-231-8527
> North Dakota State University



-------
Deke Kassabian,  Senior Technology Director
Information Systems and Computing, University of Pennsylvania