I recently attended a presentation in which a senior security admin described how his company was redesigning its network into a group of cooperating subnetworks with light firewalls and routers. He called it "compartmentalization."
I was impressed with the concept's elegance and potential effectiveness. In fact, I was impressed the first time I encountered it back in the '80s. It's one of the core tenets of security, along with least privilege and defense-in-depth. It seems that compartmentalization may be getting a new lease on life, and we have worms to thank for it.
Malware is forcing enterprises to pull their heads out of the sand and take a hard look at the trade-offs that come with increased connectivity, which means factoring survivability into network designs alongside performance, reliability and cost.
Typically, IT managers and network designers have been reluctant to compartmentalize because they believe it requires more management and increases initial infrastructure costs. This is true in the short term. However, over time, compartmentalized networks run better, are easier to maintain and can be upgraded locally where performance problems occur. Deployment costs are definitely higher, mostly because compartmentalized networks require an understanding of how the network is going to be used. The most frequently heard argument against compartmentalization is that "we don't have a good idea what machines actually need to communicate and can't retrofit a compartmented design without significant downtime." That's a real problem, but remaining ignorant about your network's usage isn't a long-term strategy. If you don't know what your network is being used for right now, you are a statistic waiting to happen.
I know one network manager who implemented a compartmentalization plan by installing firewalls at crucial junctions in his network. He left the firewall rules configured so that everything was permitted -- and logged -- then slowly tightened the screws on the firewall policies until he had "simulated" enough to know that they wouldn't hurt anything when enabled. When he asked some other managers about compartmentalizing the network, they said, "It's too hard! It will slow things down too much!" They were shocked to discover that the network manager's compartmentalization scheme had been working fine for three months and had made the network remarkably resilient to worms.
As with so many security problems, my friend's biggest challenge was at "Layer 8," the carbon layer. Changing the minds of entrenched managers isn't easy, but positive, irrefutable evidence of stronger security is a powerful catalyst for change.
Enterprises are waking up with connectivity hangovers after the massive build-out binge of the '90s. They reject compartmentalization out of intimidation; they're overwhelmed by the size and scope of the infrastructure messes they've created. But hoping the next worm will blow by without incident won't make it so. Enterprises should embrace compartmentalization, stop throwing money and technology at security problems, and improve their architectures and security by applying some good old-fashioned common sense-like they should have done in the first place.
Editor's note: This is Marcus Ranum's last column with Information Security. He has taken a position with Tenable Security Networks as chief security officer. For the past two years, Ranum has written about cutting-edge security technologies, threats and tools. We will miss his insight and expertise, and wish him well in his new endeavor.