Good Network Security Is Predictable

It is 3 a.m. and you are sleeping like a baby. That's great because you've spent many late nights protecting your new e-commerce site with the best security devices and software money can buy. You have a pair of firewalls that can handle an OC-48, NIDS boxes that allow you to craft your own complex signatures, a very expensive alarm and reporting tool that generates reports for your boss every morning, and the latest in file system checking and log analyzers for your servers. As with most new security deployments, you haven't had a chance to drill deeply into how everything works yet, but the firewalls are configured to block unwanted inbound sessions, the NIDS shipped with what appears to be a good default set of signatures turned on (you did some tuning to eliminate alarms regarding normal traffic), and the file, log, and report tools all appear to be working.

Unfortunately, while you are fast asleep, an attacker is breaking into your web server. Using a new exploit that rides over HTTP directed to your web server, which is allowed by the firewall, the attacker has attained administrative privilege on the box and is starting follow-up exploits from that device to other servers in the demilitarized zone (DMZ). Although the NIDS has a signature loaded that would recognize the attack, the hacker is fragmenting the attack packets, and you didn't know to override the default NIDS setting that turns off fragmentation reassembly. By the time you arrive at work in the morning, several boxes have been compromised, and you have a full day ahead of you dealing with the issue.

Although this could be an example demonstrating that security is only as good as the weakest link, the real point is that your security system is only as useful as you design and configure it to be. It is necessary when planning a secure network to veer away from a shotgun approach to buying and installing all the latest technology in the hope that one will stop any attack. This is even true when security products are layered throughout your network because, without an understanding of what role each technology should play, it will be blind luck if your security deployment stops anything beyond the most basic attacks. Instead, you should have a clear understanding of the role each technology in your security system will play, what the technological limitations are, and whether there are additional technologies in your system that help secure against the same threats. Your aim should be to understand the strengths and weaknesses of your security system so that when presented with a new threat, you can quickly decide whether your existing system will deal with the problem adequately. In a nutshell, you require predictability to implement a successful security system.

To establish a predictable network, you must do the following:

1. Make sure you understand the activity and events the system might experience, including attack vectors.
2. Consider how to construct a system that mitigates these attacks.
3. Consider failure conditions that might arise within your own system to ensure your design is layered as discussed in the first axiom "Network security is a system."

Security engineers should think about these issues during the design process. If that doesn't happen, the likelihood of the security system acting in an unpredictable and more risky fashion is increased. The work doesn't stop with the security design either; operational processes must be considered to ensure you are able to properly deal with a security incident. Consider parallel efforts in other engineering disciplines: cars are crash tested, building designs undergo earthquake impact analysis, and kids' toys are (usually!) harm-proofed.

Here are a few other examples to further illustrate the point:

• What if the Internet edge firewall is misconfigured so that inbound access through all ports, rather than select ports, is opened up on a web server protected by the firewall? A predictable approach to the design takes this possibility into account, and the designer would be able to state the potential ramifications. This starts with what might happen to the server, but then extends to what would happen if the server were compromised and the secondary-exploitation activity that could ensue.
• When designing a highly available Internet Protocol Security (IPsec) VPN between retail offices and a head-end aggregation site, what happens during various failure conditions? A predictable design approach will have taken into account the rate of new connections that will hit the backup head-end device and will ensure that the device performs as intended. An unpredictable design will not consider the situation until it actually happens. This is not a pleasant experience, and it can result in unacceptable wait times for connections to be reestablished and performance bog downs of secondary devices caused by increased load.
• What happens if a router in a lab is misconfigured and inappropriately broadcasts bogus routing updates to the production network? A predictable design would consider how to prevent updates from leaving the lab environment and would possibly include peer authentication of production routers. An unpredictable design would not consider that production route tables could become corrupted.

It has always been interesting for me to observe the effort spent by IT organizations to ensure that their network design is highly predictable so that those supporting it are confident it always acts as desired. There is little tolerance for network failures that cause downtime, unexpected effects during high-capacity use, or unpredictable network latency. This is ingrained in the psyche of network engineers and is a fundamental part of training classes and certifications. Unfortunately, it is not as common to be as rigorous with security designs. In some cases, the negative impact of an unpredictable security design can result in more dramatic, unwanted effects than any network oddity and can be much harder to recover from. An appropriate solution is to ensure that network and security design are done together, which is the theme of this book, and that predictability is fundamental to both.