With a title like that, I can go in a million directions with this blog post. The direction I want to go is to expose some of the limits and set some expectations of network security professionals. As a CCIE Security, I’d love to say that the skills that a network security professional possess are all that are necessary to secure modern systems. In actuality, many of the techniques that are expected to be employed by netsec professionals are NOT addressing the root problems.
First off, what is it that network security professionals can actually secure? We can break these down into three primary areas. The first area is the network devices themselves. We must only allow authorized users to use the desired management protocols, thus preventing unauthorized configuration changes. Cisco would term this the “management plane”. The next area that we must secure is the protocols that the devices on the network use to communicate network conditions to one another. This includes protocols such as STP, RIP, OSPF, EIGRP, and BGP. If these protocols aren’t properly secured, an attacker can change the behavior of our network devices without actually changing the configuration. Cisco terms this the “control plane”.
The third area is the transit plane. This is the area that security is often overstated (or assumed). What I mean is that somehow network security administrators are somehow expected to protect end systems from “anything” bad. That is a daunting, if not impossible, task. Now there are some things that are relatively easy to do. For example, we can build rules to encrypt traffic from subnet a.a.a.a to subnet b.b.b.b. We can also easily create temporary openings for traffic that was initiated from a secured interface. The more difficult thing is identifying and dropping malicious traffic.
Today many of the malicious streams are actually initiated from internal hosts. The direction that these connections are initiated allows them to fly under the radar of a lot of firewalls and score lower on many IDS implementations. There is also the case of encrypted traffic that hides packet payloads from firewalls and IDS systems. User friendly applications like “Firesheep” have demonstrated the need for encryption and led to its more widespread use. While encryption is crucial for hiding sensitive data, it also hides malicious commands and misuse of upper layer protocols from network and IDS devices.
To be completely honest, network administrators should be responsible for delivering packets. The burden of building properly secure services and operating systems should be primarly on software engineers. Education in this realm of host hardening and secure software design is more in alignment with the offerings from SANS as opposed to Cisco and Juniper. Network security professionals have attempted to augment shortcomings in software for years with firewalls, deep packet inspections and IDS. As information systems continue down the path of distributed data (aka cloud computing) and encrypted traffic, network security engineers need to make sure that everyone understands the technical limits of their capabilities.
As netsec professionals, we can obviously secure devices, secure control plane protocols, install IDS solutions and implement simple stateful firewalls. But what does a firewall really get you today? The answer to that is not nearly as much as it did ten years ago. It’s not that firewalls aren’t as good (they’re actually better), but our network usage patterns are far more complex and introduce a lot of challenges. We need to make sure that business stakeholders understand these limitations. Otherwise, we leave ourselves vulnerable to the “I thought we had a firewall” statement the next time data is leaked after a user goes to a malware infested site.