Friday, January 19, 2007

Security vs Networking

" Simply put, the networking group should maintain and configure network devices, and the security group should maintain and configure security devices."

I also sometimes lament that this world should be a simpler place :-) So, pray tell me, what is a firewall: a network or a security device?

Got this one? How about a switch firewall blade in a switch?

Oh, got the above OK? Here is a tougher one: a firewall code in a router?

Got my point!?


Anonymous said...

A firewall device is a network device. It doesn't sit "in the security". Software firewalls remain in the systems realm, are not devices, and remain the responsibility of system administration.

You may sub the words "VPN concentrator", "IPS", "UTM", etc for 'firewall' above.

All network devices should be administered by network engineers who work for a network operations center (NOC). These people usually will have complete network security skills. They most certainly should be able to design, configure, and maintain networks. The NOC monitors the network and responds to outages.

The firewall policy, rules, or specific configuration should be a part of a change control process where an Information Security team (or BU) informs other teams (including the NOC and SOC) about what policy needs to be enacted.

All security policy should be planned, reviewed, monitored, and responded to by security engineers. They also know about network security, but they also know about system security, application security, physical security, etc. They work for a security operations center (SOC). The SOC monitors policy violations and responds to incidents.

The above may not be true in all organizations, nor should it absolutely be. It's a rough guideline, and scales (1 sysadmin + 1 ISA firewall might be all a company needs).

If you are starting to ask questions about whether or not a router is a firewall (and these are very good questions to ask), or if different organizations should have access to different parts of the same device (Layer-3 Guy on the MSFC, Layer-2 Guy on the CatOS, Security Guy on the FWSM)... then it is obvious you need to come up with a better organizational model if you are stuck with "neteng guys vs. infosec guys".

The model that I presented is one that most people at Cisco, Juniper, Foundry, Symantec, and others are used to and have been talking about for possibly longer than 20 years. Microsoft's model looks more like the one sysadmin model I described. I mean, who needs more than one or two firewalls, right?

If you can answer that question and are still lost, go talk to your finance controller and ask them for more IT money for the year 2007. Make sure you include the acronym SOC and the wikipedia entry for ITSM in your report.

Anton Chuvakin said...

Wow, that is indeed a much better description of how things should be compared to Shon Harris's paper that I quoted in my post. Still, I know of a number of companies where '"neteng guys vs. infosec guys"' (or NOC vs SOC) is still a pretty real contradiction ...

Thanks a lot for the insightful comment!!

Anonymous said...

Yeah Shon seemed to be mostly confused as to how security people can trust neteng people. I think if you are not trusting your neteng people, you have a bigger problem than a silly firewall policy violation. If policy violations are punishable offenses in your organization, then how could they not be monitored?

I am starting to see a trend towards "Managed Firewall Services" via managed security operations providers. This puts the hands of trust on people outside your company! But you could have a different provider doing "Managed Security Monitoring" and now they balance each other out. Right?

Anton Chuvakin said...

Hmm, I've never seen DIFFERENT providers doing "monitoring" and "management" of the same networks, devices, etc.

Anonymous said...

I have. Even more interesting would be if there were 4 vendors.

1 to be responsible for DMZ/Extranet/Internet-facing firewalls
1 to be responsible for the monitoring of DMZ firewalls
1 to be responsible for internal company firewalls
1 to be responsible for monitoring those internal firewalls

Only that there probably aren't 4 vendors in this space anymore. There are plenty in the network (router/switch) world, however - and some of them do a fair-to-less job at security stuffs assuming you are stupid enough to go with an all-Cisco solution.

Interesting concepts, though, huh?

My favorite part about this strategy is that it flips the script on how to social engineer or perform espionage on such an organization. It's hard to get an insider or team of insiders.

A backout strategy is smart. If you have an RSA server and force the vendors to use hardware tokens - you can turn them off at any time. But being able to take over their responsibilities could be difficult. Another reason to use more than one vendor ... e.g. "ProviderX is our primary DMZ firewall configuration service provider, and our backup internal firewall monitoring provider".

Normally when I think about pen-testing networks it involves an insider. One of the best strategies (besides leaving around a bunch of backdoored USB keys in the parking lot) is to follow an IT security or other IT person home from the office and get on their home WiFi (aka "the mechanic's car is always broken"), backdoor their work laptop, and sneak in through their own credentials after they supply them (e.g. RSA hardware token via VPN). It's the weakest link. In this managed-provider scenario, you've removed the weakest link.

It's also difficult to sue or get SLA credits from an employee who fat-fingers a firewall rule. Using a specialized MSP is probably also going to reduce pilot-error (which, btw, is the number one cause of downtime in most cases).

I do understand that managed services aren't for everyone, but here are some things to consider.

Dr Anton Chuvakin