This article can also be found in the Premium Editorial Download "Information Security magazine: Security survivor all stars explain their worst data breaches."
Download it now to read this article plus other related content.
Network perimeter defenses have crumbled. What we need now are self-defending clients.
Today's network perimeter is a lot like the Maginot Line, which the French built after World War I, believing its bunkers, fortresses and traps would stop invasion from the east. But the Germans defeated the tons of concrete and miles of barbed wire by simply going around it, conquering Paris in a mere 35 days.
In our modern-day Maginot Network, we watch Trojans flank our firewalls just as the French soldiers watched German tanks surround their fortress. But why have static perimeter defenses become obsolete?
The ubiquitous demand for mobile devices makes networks more fluid, with more entry points and increasing complexity. And worms are rapidly evolving, using clever social engineering tricks to produce an endless stream of Trojan attacks that march right through e-mail and Web ports. Your firewall is as useful as a rock in a boulder field when a trusted user naÏvely double-clicks a link and innocently installs insidious spyware on your corporate network.
Sun Microsystems coined the phrase, "The network is the computer." Today, you should apply the converse model to security--"The client is the network." Harden end points first, and use perimeter defense as a secondary tactic. Go beyond the advertising hype of self-defending networks by making a tactical shift to self-defending clients.
This approach addresses mobile computing threats because the client depends primarily on its own defenses, whether joined to corporate resources over copper or connected remotely from an untrusted wireless network. Host-based intrusion prevention, client firewalls, encryption, forensic agents and other client hardening techniques become the primary means of protection.
Think like a general: If your network defenses sound silly from a military perspective, they are. The typical network today is a fortress filled with unarmed soldiers sleeping soundly while the enemy bombards it. Changing the mind-set opens us to tactical diversity:
- Deception: Let's boldly deceive the attacker instead of peering fearfully over the wall.
Honeypot technology--such as NFR's free Back Officer Friendly, which creates port deceptions on
servers to attract hackers--may be the way to go.
Conventional wisdom advises that you hide your clients from the Internet, but that hangs huge targets on the few exposed devices--the firewalls, routers and servers in corporate DMZs. What if each client faced the Internet as a battle-hardened cyber-hero? Though counterintuitive in the Maginot Network, all these exposed, hardened nodes--plus the honeypots--would make it harder for attackers to identify high-value targets.
- Communication and Situational Awareness: A patrol under attack communicates immediately up-echelon and laterally to support units. Today's client security products are not particularly good at lateral communication, but they could be if we asked vendors for it.
Applying military thought naturally highlights the most frustrating reality: We are always on the defensive. Difficulties in tracing attack sources and legal issues limit our counterattack options. But admit it--we who practice security trench warfare dream about the day that changes.
About the authors:
M. W. Meyer, CISSP, is a retired Navy communications specialist and a cybersecurity project manager for Innovative Technology Partnerships. Eric Sager, a former Air Force, Army and DoE network and security specialist, is currently a cybersecurity site manager Albuquerque, N.M.
This was first published in April 2006