Security Laboratory

Security Laboratory

Security Laboratory: Defense In Depth Series

Other Related Articles in Security Laboratory: Defense In Depth Series


Security Convergence and The Uniform Method of Protection to Achieve Defense in Depth


By Stephen Northcutt
Security convergence is an interesting trend that has been picking up speed heading into 2013. We are running network information that was formerly analog over our digital data networks, we are converging formerly separate network devices, especially at the perimeter (unified threat management[1]), and we are starting to see physical and classic network security groups beginning to merge in some organizations. If the trend continues unabated, it will end up saving us a lot of money and giving us a lot less actual remediation of risk than past practice. This trend is solidly in the uniform architectural approach to defense in depth.[2] The architectural approaches to defense in depth are a recurring theme in the course we author and teach, Management 512, SANS Security Leadership Essentials For Managers.[3] Let's look at some of the details.
====
1 https://www.trustwave.com/unified-threat-management/
2 http://www.sans.edu/resources/securitylab/367.php
3 http://www.sans.org/training/description.php?mid=62


Convergence of network traffic


"A lot of organizations, today, are considering converging voice and data on the same network, and, therefore, need to ensure that their existing networks can take on this additional load."[1] What is driving convergence or unified communications? According to Rich Tehrani, "cost has been portrayed in press coverage as the major driver, but we believe that functionality will eventually drive adoption as cost differences even out. Regardless of the primary motivator, we’re seeing that enterprises are most likely to adopt VoIP gradually, often deploying it by division or for specific call types."[2] To recap the current situation, "more businesses are moving to implement unified communications, mainly because of the efficiency and potential cost savings it offers. While most deployment today are small and limited, users are discovering that there is a down side to unified communications: a significant growth in network traffic that can slowdown application performance and cause other problems, according to a survey released Monday."[3]

"A survey of 576 unified communications users found that 75% said one-quarter of their network traffic in the last three months consisted of UC applications like VoIP, unified messaging, and instant messaging. The survey was conducted by Network General Corp., which polled its worldwide customers. [3] In the same study, "forty percent of companies polled said they use integrated voice, video and Web conferencing, and close to 70 percent have used VoIP, but only 12 percent cite voice communication as responsible for additional network traffic. Around 80 percent of respondents believe the network traffic from all their communications applications will increase over the next 12 months."[4, 5]

A Gartner study in 2005 stated, "To handle the increased demands that voice places on data networks, "90 percent of networks in North America today will require additional build-out to support voice, and 100 percent of them will require some configuration changes," said Gartner analyst Jeff Snyder.[6] "Jitter and packet drops that can be tolerated in an IP data network are key contributors to poor quality in VoIP. To absorb most jitter, buffering is often employed but buffers can overflow and cause drops plus significant delay that is also a cause of poor perceived quality. High bandwidth (the “big pipes” solution) can eliminate much of the buffering and drops, however, bandwidth is not inexpensive and is not a panacea for all that can occur on even the most robust of IP networks.[7] Chris Brenton, who teaches the perimeter security course for SANS, stated that a number of companies have backed out their initial deployments waiting till they upgrade the network.

In 2012, Hurricane Sandy had the effect of increasing the adoption of VoIP in the Northeast of the United States because it was more robust than the Plain Old Telephone System (POTS).[8]

Finally, we want to keep the security risks in focus, VoIP protocols are complex and poorly understood by most network engineers. The three biggest threats are denial of service, SPIT (phone spam) and fraud using targeted phishing against the VoIP user. The good news is that the latter two threats can be remediated with awareness training.

The bottom line, convergence of network traffic is going to happen, it is going to work and it will bring new capabilities to our workplaces that we can scarcely dream about today. The amount of time you spend in pre deployment testing and design can dramatically impact your organization's level of expense and satisfaction.

Consumer and cloud provider VoIP

I wouldn't be surprised if the majority of readers that receive this newsletter already have a consumer grade VoIP service. As long as it is a backup service that is fine, but there are some quality rumblings starting to be heard. I have the Comcast service in Hawaii and have not experienced many problems at all, but there is a blog devoted to Vonage problems[9] and more famously, Skype ran into serious trouble Thursday August 16, 2007: "The company first acknowledged the service outage around 2 p.m. Thursday, and later identified the cause as "a deficiency in an algorithm within Skype networking software." It ruled out any link with the planned maintenance of its Web-based payment service on Wednesday, and said service was not the "victim of a cyber attack." The service had been sporadic but gradually improving during the business day in Asia on Friday. The number of users that can now sign in is "encouraging," Skype said."[10]

====
1. http://pcquest.ciol.com/content/topstories/2004/104093003.asp
2. http://www.tmcnet.com/news/executive-suite/deloitte-touche-phil-asmundson.htm
3. http://www.informationweek.com/software/showArticle.jhtml?articleID=201802478
4. Unified Communications Bring Network Traffic
5. http://www.networkgeneral.com/PressDetails.aspx?NID=20078273072151
6. http://www.eweek.com/article2/0,1895,1898198,00.asp
7. http://www.tmcnet.com/it/0503/0503Finis.htm
8. http://www.fierceenterprisecommunications.com/story/spotlight-hurricane-sandy-increases-demand-voip-services/2012-11-12
9. http://news.com.com/5208-10784_3-0.html?forumID=1&threadID=29909&messageID=301226&start=-1
10. http://www.infoworld.com/article/07/08/17/Skype-problems-may-continue_1.html



Convergence of perimeter devices
"Unified threat management (UTM) is a term coined by Charles Kolodgy of International Data Corporation (IDC) in 2004 which is used to describe network firewalls that have many features in one box, including junk e-mail filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall. These are application-layer firewalls that use proxies to process and forward all incoming traffic, though they can still frequently work in a transparent mode that disguises this fact."[1] "The unified threat management space is a relatively new security appliance segment tracked by IDC that is predicted to grow to $2 billion by 2008." According to Secure Computing, Unified threat management systems must at minimum:
Be an appliance
Include multiple security features
Have a hardened OS
Be able to perform:
Network firewalling
Intrusion prevention (IPS) ("Stop Attacks!")
Gateway anti-virus"[2]
Metagroup says, "The intent here is not to advocate comprehensive adoption of all-in-one security devices. Clearly, different locations within a network, as well as organizations of different sizes, will result in the need for various approaches. For example, high-capacity, head-end implementations may still be served best by single-service devices offering performance and other benefits associated with functional specialization. Medium-capacity and branch-office scenarios should, in general, be good candidates for multiservice devices. In addition, for environments with a mixture of scenarios, it would be beneficial to be able to obtain both sorts of products from a single vendor, along with a common, overarching management application."[3]

Vendors include:
Cisco
Fortinet
Secure Computing
SonicWall
Watchgard

====
1. Wikipedia - Unified Threat Management
2. http://www.securecomputing.com/gateway/unified_threat_management.cfm
3. http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1244/cdccont_0900aecd8027d090.pdf


Convergence of Physical, Network and Computer Security
In 2005, "Forrester Research projected a tenfold increase in U.S. spending on merging physical and logical access control, across both the public and private sectors, from $691 million in 2005 to more than $7 billion in 2008."[1] According to CERT's podcast on the subject, "Traditional silos will start to disappear, for example, boundaries between network security, physical security, and human resources. Single user identities are starting to emerge for all business transaction authorization and access. Identity management will include physical facility access and rights as well as network and application access and rights. Approaches like Common Access Cards are being used today to support physical access, network access, and email encryption, as well as to provision new employees and revoke the rights of terminating employees. Smart video and video analytics will be used to integrate and present all sources of video surveillance and to assist with forensics analysis. We can then collect physical security events captured by video surveillance cameras and correlate these with system and network access, for example."[2]

One bright note is that convergence may make Single Sign On(SSO), a reality. "SSO requires the convergence of traditional physical security with IT for a number of reasons, such as the following:
Reduction of the cost associated with issuing and revoking authentication and access control credentials across information systems and facilities
The capability to know where a person is in relation to network authentication
For example, it is useful for the IDS system to know if a person is in the building at the same time a remote authentication request is made. To support this capability, the information systems are given "read" ability from the physical systems. Another emerging development is the capability of the information systems to "write" to the physical systems. For example, if a person's network authentication credential is issued or revoked, the physical access control credential is issued or revoked at the same time. An advanced development of this concept is the capability to populate an SSO identity and authentication credential across multiple physical systems and the network with a single integrated process. This allows the SSO authority to enroll, print, and issue a photo-ID/physical access control card and network identification/authentication credential from a single entry point and process."[3]

====
1. Logical Security Convergence
2. CERT Podcasts Notes
3. GIAC White pager in Convergence of Physical Security