disconnect: security in the post-Internet era - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

disconnect: security in the post-Internet era

Description:

metamorphosis: workshop goal. 2000: 'network security credo' 2001: 'my ... metamorphosis: success metrics. nirvana then. open Internet / network utility model ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 18
Provided by: denni72
Category:

less

Transcript and Presenter's Notes

Title: disconnect: security in the post-Internet era


1
disconnect security in the post-Internet era
  • Terry Gray
  • University of Washington
  • S_at_LS workshop, chicago
  • 12 August 2003

2
alternative titles
  • strained bedfellows --protection for
    promiscuous connectors
  • open minds and closed networks --confessions of
    a True Believer
  • life in the post-Internet era--my journey to
    unenlightenment
  • defense in doubt--preventing the post-Internet
    apocalypse
  • the Perimeter Protection Paradox--searchin for
    security in all the wrong places

3
outline
  • thesis
  • metamorphosis
  • grief counseling
  • what we lost
  • how we lost it
  • consequences
  • critical questions

4
thesis
  • the Open Internet is history--get over it
  • cheer up, things could be worse--and will be if
    we arent careful
  • we can still make good decisions--to avoid even
    worse outcomesS_at_LS goal evaluate alternative
    futures

5
metamorphosis Internet paradigm
  • 1969 one network
  • 1982 network of networks
  • 199x balkanization begins
  • 2003 balkanization complete
  • 2004 paradigm lost?

6
metamorphosis workshop goal
  • 2000 network security credo
  • 2001 my first NAT
  • 2002 uncle ken calls gt quest
  • 2003 slammer gt intervention
  • 2003 dcom/rpc gt wake

7
metamorphosis success metrics
  • nirvana then
  • open Internet / network utility model
  • successful end-point security
  • nirvana now?
  • operational simplicity
  • admin-controlled security
  • user-controlled connectivity

8
grief counseling
  • denial
  • anger
  • bargaining
  • depression
  • acceptance--simultaneously!

9
what we lost network utility model
  • the network utility model is dead--long live the
    NUM
  • all ports once behaved the same
  • simple
  • easy to debug
  • now they dont
  • bandwidth management polices
  • security policies

10
what we lost operational integrity
  • lost network simplicity, leading to
  • lower MTBF
  • higher MTTR
  • higher costs
  • lost full connectivity, leading to
  • less innovation?
  • frustration, inconvenience
  • sometimes less security (faith, backdoors)

11
how we lost it inevitable trainwreck?
  • fundamental contradiction
  • networking is about connectivity
  • security is about isolation
  • conflicting roles strained bedfellows
  • the networking guy
  • the security guy
  • the sys admin
  • oh yeah and the user
  • insecurity liability
  • liability trumps innovation
  • liability trumps operator concerns
  • liability trumps user concerns

12
how we lost it firewall allure?
  • firewalls packet disrupting devices
  • perimeter protection paradoxes
  • large-perimeter FWs benefit
  • SysAd, SecOps, maybe user
  • at expense of NetOps
  • the best is the enemy of the good
  • microsoft rpc exploit has guaranteed that the
    firewall industry has a bright future

13
how we lost it disconnects
  • failure of computer security
  • vendors gave customers what they wanted, not what
    they needed
  • responsibility/authority disconnects guarantee
    failure
  • failure of networkers to understand what others
    wanted
  • not a completely open Internet!
  • importance of unlisted numbers

14
consequences (1)
  • mindset computer security failed, so network
    security must be the answer
  • extreme pressure to make network topology match
    organization boundaries
  • network of networks evolution
  • 1982 minimum impedance between nets
  • 2003 maximum impedance between nets
  • Heisen/stein networking
  • uncertain and relativistic connectivity

15
consequences (2)
  • more self-imposed denial-of-service
  • firewalls everywhere
  • uphill battle for p2p
  • more tunneled traffic over fewer ports
  • one FTE per border --with or without firewall
  • troubleshooting will be harder
  • NAT survives unless/until a better unlisted
    number mechanism takes hold
  • security/liability will continue to trump
    innovation/philosophy/ops costs

16
critical questions
  • should we build net topologies that match
    organizational boundaries?
  • will end-point security improve enough that
    perimeter defense will be secondary?
  • is it too late to try to offer users a choice of
    open or closed nets?
  • is the trend toward a single-port tunneled
    Internet good, bad, or indifferent?
  • is there any chance IPS or DEN will make it all
    better?
  • whats the best way to implement an unlisted
    number semantic?

17
discussion!
  • how do we redefine the Internet, going forward?
  • I.e. how do we reconnect?
Write a Comment
User Comments (0)
About PowerShow.com