Cisco Systems recently teamed with major antivirus vendors to "push access
privilege to routers." "Key to the program," according to a Security
Wire Perspectives article, "is the new Cisco Trust Agent, a software
client" installed on PCs that gathers data from other
clients -- including antivirus software -- and relays it to "routers and other
network devices."
So what's the problem? I'm aware of seven different definitions for
"clients and servers" from hardware, software and object-oriented
vendors, and none represent the terms as used in this instance.
We shouldn't really be surprised, though. The infosecurity world is
filled with inconsistent terminology. Blame it on marketers
deliberately misusing words to sell something. Blame it on media
pundits explaining complex concepts in limited space, incorrectly
using familiar words rather than taking the space to explain it
accurately. Blame it on users applying terms incorrectly. The result
is an imprecise language that won't support accurate discussions or
understanding of the real nature of risks and mitigating controls.
To address IT security, we must clean up our language.
Perhaps we need new generalized words. Rather than
computing/communications, why not "computication"? Perhaps we need to
take the space to be more specific. For instance, client boxes talk
to server boxes, and processes talk to processes. But boxes don't
talk to processes. Perhaps we need to deal with the specifics. The
topology of Netware running on ArcNet LANs? It's a
"star-bus-ring-mesh-star." The server and workstations hooked up to a
repeater hub with wires forms a media star. Electrically (Layer 1)
all NICs are connected on a signaling bus. Link and network access
(Layers 2-3) is accomplished by token passing in a logical ring.
End-to-end (Layer 4), messaging is effectively a fully connected
logical mesh. Using a Netware server and IPX/SPX, sessions (Layers
5-7) all home on the server, a logical star (with a different hub
than the media star). Hence the overall topology is
"star-bus-ring-mesh-star," and each layer has its own risks and
mitigating controls which need to be dealt with separately --
layer-by-layer -- and not as a single entity with a single topology.
Risk mitigation requires precision and accuracy -- all the time. This
especially applies to marketers and pundits, on whom we depend for
language revealing the true nature of particular tools.
If such language is not forthcoming from these wordsmiths, we must
clean up our act ourselves. We should adopt terms from standards
organizations (IEEE, ISO, NIST, etc.); from projects like one by
MITRE Corp., which is developing a standard language to use in
searching for software bugs in computer systems; or from our own
consortiums.
Whatever the source, we need to recognize the need for language which
illuminates rather than obfuscates. Security by obscurity may have
worked in the past, but no more. The first key to security is
understanding our world in unambiguous terms. That requires
unambiguous language. If we are to take this seriously, we can demand
no less.
That means no more "server client agents sending messages to that
router box." This will not be easy, but it could be fun.
About the author
Stuart Holoman is a principle consultant with Holocon Computications
Consulting in Raleigh, NC. Formerly with Bell Laboratories, he is
involved with the security and audit communities providing technical
training and developing technology-independent system analysis
methodologies, such as the Audit and Security Analysis (ASA) model.
Test your knowledge of basic security terminology with our quiz.
