Tag Archive for: Enterprise

Securing Your Network, or Networking for Security?

/by

Every day we hear about another breach, and most of the time the information we get is fairly consistent – the breach started and finished long before it was discovered.    It’s not always clear exactly how or where the attackers were able to get access because they’ve had ample time to cover their tracks.   Whatever log or history data we have is massive, and sifting through it to figure out anything about the attack is very difficult and time consuming.  We don’t quite know what we’re looking for and much of the evidence has come and gone.

As I survey the cybersecurity market and media coverage, I notice that:

  1.   We’ve thrown in the towel, it’s “not if, but when” you’ll be breached.
  2.   Many security vendors are now talking about analytics, dashboards, and big data instead of prevention.

person-thinking-networkNotably absent is the acknowledgement that the attack did not happen at a single point or computer, and that the actual theft of data was allowed because the data looked like legitimate network traffic using allowed routes through and out of the network.

We hear a lot about not having enough “security expertise”.  Is that really the problem?  Or is the problem that the security experts don’t really understand the full complexity of their networks?  The network experts understand.  These attacks are happening via network traffic – not on a device, nor with a known signature.   And what do networking professionals care about?  Traffic, and how it’s flowing.   I maintain that there’s a lot more expertise that could help in this breach analysis and prevention than we think – we’re just not asking the right people.

In subsequent posts I’ll talk about why the networking team is becoming vital to security efforts, and why understanding how a network is constructed and performs is the best chance we have of improving our defenses.

Testing the Policy

/by

The day was already hot with the humidity rising as I entered the data center for our third day of consulting. The NOC was state-of-the-art, dimly lit, with displays showing network status, weather, and news. This was the day we would see the results of testing the network policy for the first time. I knew what to expect, and I knew the engineers would be surprised. It happens every time.

testingNetworks today are incredibly complex: from the more traditional routers with ACL s, and firewalls with their rules, to ever-more-sophisticated load balancers, application-layer firewalls, and virtual environments that comprise more functions than the entire enterprise had just a few years ago. The expansive organic and revolutionary growth of network functions has created an elaborate, interconnected, dynamic maze that is practically impossible for human beings to grasp, much less to determine every possible outcome of communication across it.

That is where automation steps in.

As I mentioned in previous posts, first, you identify zones and then you map them to your network. These two steps are essential to any reasonable security policy. However, that’s not enough. You have to know every day that your network enforces those zones and the inter-zone policies you worked so hard to create. The only way to do that is with automation.

As a guy who has built networks for a very long time, one of my primary reasons for using RedSeal on those networks is to abstract the complexity of all those network elements and show me the current state of the security policy: are there any violations to that policy on the network today?

Just like that hot day I spent in the cool confines of a modern data center, every network I have helped customers and prospects analyze — without exception — has had violations of their policy. Many were approved exceptions. Some were emergency changes. It’s also very common to discover completely unexpected violations. Frankly, you should expect that. The complexity and unexpected interactions are far too great to be able to anticipate all of them without automation like RedSeal.

How do you test your policy?

Somewhere Over the Spreadsheet

/by

Two years ago I was standing in front of a group of security geeks in Santa Barbara for BSides LA talking about the sophisticated tools that most network engineers use — like “ping” and “traceroute” and even Excel — and about how the broad range of tools available typically didn’t get used in a primordial jungle of our enterprise networks. Recently, Wired concurred, outlining the widespread use of spreadsheets for a broad range of business functions.

new-spreadsheet1It is embarrassingly common for us to find the majority of network management information in spreadsheets. Lists of devices, lists of firewall rules, hierarchies of networks. All laid out in nicely formatted tabs within multiple spreadsheet workbooks, often stored in SharePoint or Google Docs. But, always, devoid of context and the real meaning of the elements.

This isn’t to say that there isn’t a place for spreadsheets, of course, but I would challenge you to think through how you are using them and whether or not they are giving you the information you need to know rather than believe what your network is really doing.

For example, a couple years ago I was visiting a major retailer as they were working through their PCI audit. They presented the auditor with an annotated spreadsheet containing all of the firewall rules within their infrastructure. The auditor, for his part, recognized that evaluating firewall rules out of context masks the reality of the way a network operates, and asked to review the PCI zones using RedSeal. The insights for the organization and the auditor were rapid and clear, and the organization was able to take steps to improve their overall security as a result.

So, although spreadsheets are valuable for building lists of the “stuff” that makes up your environment, they are no substitute for automation that can show you and tell you what you don’t know you don’t know. What do you keep in spreadsheets? What do you wish your spreadsheets could tell you? What’s the strangest experience you’ve had with spreadsheets?