disconnect security in the post internet era l.
Skip this Video
Loading SlideShow in 5 Seconds..
disconnect: security in the post-Internet era PowerPoint Presentation
Download Presentation
disconnect: security in the post-Internet era

Loading in 2 Seconds...

play fullscreen
1 / 17

disconnect: security in the post-Internet era - PowerPoint PPT Presentation

  • Uploaded on

disconnect: security in the post-Internet era Terry Gray University of Washington S@LS workshop, chicago 12 August 2003 alternative titles strained bedfellows: --protection for promiscuous connectors open minds and closed networks: --confessions of a True Believer

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'disconnect: security in the post-Internet era' - ostinmannual

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
disconnect security in the post internet era

disconnect: security in the post-Internet era

Terry Gray

University of Washington

S@LS workshop, chicago

12 August 2003

alternative titles
alternative titles
  • strained bedfellows:--protection for promiscuous connectors
  • open minds and closed networks:--confessions of a True Believer
  • life in the post-Internet era:--my journey to unenlightenment
  • defense in doubt:--preventing the post-Internet apocalypse
  • the Perimeter Protection Paradox:--searchin’ for security in all the wrong places
  • thesis
  • metamorphosis
  • grief counseling
  • what we lost
  • how we lost it
  • consequences
  • critical questions
  • the Open Internet is history--”get over it“
  • cheer up, things could be worse--and will be if we aren’t careful
  • we can still make good decisions--to avoid even worse outcomesS@LS goal: evaluate alternative futures
metamorphosis internet paradigm
metamorphosis: Internet paradigm
  • 1969: “one network”
  • 1982: “network of networks”
  • 199x: balkanization begins
  • 2003: balkanization complete
  • 2004: paradigm lost?
metamorphosis workshop goal
metamorphosis: workshop goal
  • 2000: “network security credo”
  • 2001: “my first NAT”
  • 2002: “uncle ken calls” > quest
  • 2003: “slammer” > intervention
  • 2003: “dcom/rpc” > wake
metamorphosis success metrics
metamorphosis: success metrics
  • nirvana then
    • open Internet / network utility model
    • successful end-point security
  • nirvana now?
    • operational simplicity
    • admin-controlled security
    • user-controlled connectivity
grief counseling
grief counseling
  • denial
  • anger
  • bargaining
  • depression
  • acceptance--simultaneously!
what we lost network utility model
what we lost: network utility model
  • the network utility model is dead--long live the NUM
  • all ports once behaved the same
    • simple
    • easy to debug
  • now they don’t:
    • bandwidth management polices
    • security policies
what we lost operational integrity
what we lost: operational integrity
  • lost: network simplicity, leading to
    • lower MTBF
    • higher MTTR
    • higher costs
  • lost: full connectivity, leading to
    • less innovation?
    • frustration, inconvenience
    • sometimes less security (faith, backdoors)
how we lost it inevitable trainwreck
how we lost it: inevitable trainwreck?
  • fundamental contradiction
    • networking is about connectivity
    • security is about isolation
  • conflicting roles: strained bedfellows
    • the networking guy
    • the security guy
    • the sys admin
    • oh yeah… and the user
  • insecurity = liability
    • liability trumps innovation
    • liability trumps operator concerns
    • liability trumps user concerns
how we lost it firewall allure
how we lost it: firewall allure?
  • firewalls = “packet disrupting devices”
  • perimeter protection paradoxes
  • large-perimeter FWs benefit:
    • SysAd, SecOps, maybe user
    • at expense of NetOps
  • the best is the enemy of the good
    • microsoft rpc exploit has guaranteed that the firewall industry has a bright future
how we lost it disconnects
how we lost it: disconnects
  • failure of “computer security”
    • vendors gave customers what they wanted, not what they needed
    • responsibility/authority disconnects guarantee failure
  • failure of networkers to understand what others wanted
    • not a completely open Internet!
    • importance of “unlisted numbers”
consequences 1
consequences (1)
  • mindset: “computer security” failed, so “network security” must be the answer
  • extreme pressure to make network topology match organization boundaries
  • ”network of networks” evolution
    • 1982: minimum impedance between nets
    • 2003: maximum impedance between nets
  • Heisen/stein networking:
    • uncertain and relativistic connectivity
consequences 2
consequences (2)
  • more self-imposed denial-of-service
  • firewalls everywhere
  • uphill battle for p2p
  • more tunneled traffic over fewer ports
  • one FTE per border --with or without firewall
  • troubleshooting will be harder
  • NAT survives unless/until a better “unlisted number” mechanism takes hold
  • security/liability will continue to trump innovation/philosophy/ops costs
critical questions
critical questions
  • should we build net topologies that match organizational boundaries?
  • will end-point security improve enough that perimeter defense will be secondary?
  • is it too late to try to offer users a choice of open or closed nets?
  • is the trend toward a single-port tunneled Internet good, bad, or indifferent?
  • is there any chance IPS or DEN will make it all better?
  • what’s the best way to implement an “unlisted number” semantic?
  • how do we redefine the Internet, going forward?
  • I.e. how do we “reconnect”?