Disconnect security in the post internet era
Download
1 / 17

disconnect: - PowerPoint PPT Presentation


  • 219 Views
  • Updated On :

disconnect: security in the post-Internet era Terry Gray University of Washington [email protected] workshop, chicago 12 August 2003 alternative titles strained bedfellows: --protection for promiscuous connectors open minds and closed networks: --confessions of a True Believer

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'disconnect: ' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Disconnect security in the post internet era l.jpg

disconnect: security in the post-Internet era

Terry Gray

University of Washington

[email protected] workshop, chicago

12 August 2003


Alternative titles l.jpg
alternative titles

  • strained bedfellows:--protection for promiscuous connectors

  • open minds and closed networks:--confessions of a True Believer

  • life in the post-Internet era:--my journey to unenlightenment

  • defense in doubt:--preventing the post-Internet apocalypse

  • the Perimeter Protection Paradox:--searchin’ for security in all the wrong places


Outline l.jpg
outline

  • thesis

  • metamorphosis

  • grief counseling

  • what we lost

  • how we lost it

  • consequences

  • critical questions


Thesis l.jpg
thesis

  • the Open Internet is history--”get over it“

  • cheer up, things could be worse--and will be if we aren’t careful

  • we can still make good decisions--to avoid even worse [email protected] goal: evaluate alternative futures


Metamorphosis internet paradigm l.jpg
metamorphosis: Internet paradigm

  • 1969: “one network”

  • 1982: “network of networks”

  • 199x: balkanization begins

  • 2003: balkanization complete

  • 2004: paradigm lost?


Metamorphosis workshop goal l.jpg
metamorphosis: workshop goal

  • 2000: “network security credo”

  • 2001: “my first NAT”

  • 2002: “uncle ken calls” > quest

  • 2003: “slammer” > intervention

  • 2003: “dcom/rpc” > wake


Metamorphosis success metrics l.jpg
metamorphosis: success metrics

  • nirvana then

    • open Internet / network utility model

    • successful end-point security

  • nirvana now?

    • operational simplicity

    • admin-controlled security

    • user-controlled connectivity


Grief counseling l.jpg
grief counseling

  • denial

  • anger

  • bargaining

  • depression

  • acceptance--simultaneously!


What we lost network utility model l.jpg
what we lost: network utility model

  • the network utility model is dead--long live the NUM

  • all ports once behaved the same

    • simple

    • easy to debug

  • now they don’t:

    • bandwidth management polices

    • security policies


What we lost operational integrity l.jpg
what we lost: operational integrity

  • lost: network simplicity, leading to

    • lower MTBF

    • higher MTTR

    • higher costs

  • lost: full connectivity, leading to

    • less innovation?

    • frustration, inconvenience

    • sometimes less security (faith, backdoors)


How we lost it inevitable trainwreck l.jpg
how we lost it: inevitable trainwreck?

  • fundamental contradiction

    • networking is about connectivity

    • security is about isolation

  • conflicting roles: strained bedfellows

    • the networking guy

    • the security guy

    • the sys admin

    • oh yeah… and the user

  • insecurity = liability

    • liability trumps innovation

    • liability trumps operator concerns

    • liability trumps user concerns


How we lost it firewall allure l.jpg
how we lost it: firewall allure?

  • firewalls = “packet disrupting devices”

  • perimeter protection paradoxes

  • large-perimeter FWs benefit:

    • SysAd, SecOps, maybe user

    • at expense of NetOps

  • the best is the enemy of the good

    • microsoft rpc exploit has guaranteed that the firewall industry has a bright future


How we lost it disconnects l.jpg
how we lost it: disconnects

  • failure of “computer security”

    • vendors gave customers what they wanted, not what they needed

    • responsibility/authority disconnects guarantee failure

  • failure of networkers to understand what others wanted

    • not a completely open Internet!

    • importance of “unlisted numbers”


Consequences 1 l.jpg
consequences (1)

  • mindset: “computer security” failed, so “network security” must be the answer

  • extreme pressure to make network topology match organization boundaries

  • ”network of networks” evolution

    • 1982: minimum impedance between nets

    • 2003: maximum impedance between nets

  • Heisen/stein networking:

    • uncertain and relativistic connectivity


Consequences 2 l.jpg
consequences (2)

  • more self-imposed denial-of-service

  • firewalls everywhere

  • uphill battle for p2p

  • more tunneled traffic over fewer ports

  • one FTE per border --with or without firewall

  • troubleshooting will be harder

  • NAT survives unless/until a better “unlisted number” mechanism takes hold

  • security/liability will continue to trump innovation/philosophy/ops costs


Critical questions l.jpg
critical questions

  • should we build net topologies that match organizational boundaries?

  • will end-point security improve enough that perimeter defense will be secondary?

  • is it too late to try to offer users a choice of open or closed nets?

  • is the trend toward a single-port tunneled Internet good, bad, or indifferent?

  • is there any chance IPS or DEN will make it all better?

  • what’s the best way to implement an “unlisted number” semantic?


Discussion l.jpg
discussion!

  • how do we redefine the Internet, going forward?

  • I.e. how do we “reconnect”?


ad