It is 3 a.m. and you are sleeping like a baby. That's great because you've spent many late nights protecting your new e-commerce site with the best security devices and software money can buy. You have a pair of firewalls that can handle an OC-48, NIDS boxes that allow you to craft your own complex signatures, a very expensive alarm and reporting tool that generates reports for your boss every morning, and the latest in file system checking and log analyzers for your servers. As with most new security deployments, you haven't had a chance to drill deeply into how everything works yet, but the firewalls are configured to block unwanted inbound sessions, the NIDS shipped with what appears to be a good default set of signatures turned on (you did some tuning to eliminate alarms regarding normal traffic), and the file, log, and report tools all appear to be working.
Unfortunately, while you are fast asleep, an attacker is breaking into your web server. Using a new exploit that rides over HTTP directed to your web server, which is allowed by the firewall, the attacker has attained administrative privilege on the box and is starting follow-up exploits from that device to other servers in the demilitarized zone (DMZ). Although the NIDS has a signature loaded that would recognize the attack, the hacker is fragmenting the attack packets, and you didn't know to override the default NIDS setting that turns off fragmentation reassembly. By the time you arrive at work in the morning, several boxes have been compromised, and you have a full day ahead of you dealing with the issue.
Although this could be an example demonstrating that security is only as good as the weakest link, the real point is that your security system is only as useful as you design and configure it to be. It is necessary when planning a secure network to veer away from a shotgun approach to buying and installing all the latest technology in the hope that one will stop any attack. This is even true when security products are layered throughout your network because, without an understanding of what role each technology should play, it will be blind luck if your security deployment stops anything beyond the most basic attacks. Instead, you should have a clear understanding of the role each technology in your security system will play, what the technological limitations are, and whether there are additional technologies in your system that help secure against the same threats. Your aim should be to understand the strengths and weaknesses of your security system so that when presented with a new threat, you can quickly decide whether your existing system will deal with the problem adequately. In a nutshell, you require predictability to implement a successful security system.
To establish a predictable network, you must do the following:
Security engineers should think about these issues during the design process. If that doesn't happen, the likelihood of the security system acting in an unpredictable and more risky fashion is increased. The work doesn't stop with the security design either; operational processes must be considered to ensure you are able to properly deal with a security incident. Consider parallel efforts in other engineering disciplines: cars are crash tested, building designs undergo earthquake impact analysis, and kids' toys are (usually!) harm-proofed.
Here are a few other examples to further illustrate the point:
It has always been interesting for me to observe the effort spent by IT organizations to ensure that their network design is highly predictable so that those supporting it are confident it always acts as desired. There is little tolerance for network failures that cause downtime, unexpected effects during high-capacity use, or unpredictable network latency. This is ingrained in the psyche of network engineers and is a fundamental part of training classes and certifications. Unfortunately, it is not as common to be as rigorous with security designs. In some cases, the negative impact of an unpredictable security design can result in more dramatic, unwanted effects than any network oddity and can be much harder to recover from. An appropriate solution is to ensure that network and security design are done together, which is the theme of this book, and that predictability is fundamental to both.