The Federation Firewall Boundary

As a specialist by trade in both technology and financial audit, internal control structures and security play an important role in the work that I do. I came across Steve Riley's Death of the DMZ over broadband the other day and his thesis really hit home with one who deals in political federations. For years, I've told my customers that firewalls and other like-devices equated to dumb security. 

How many times have you heard the story about a father, waking in the middle of the night to the home alarm system, grabbing his gun, heading to the top of the stair, and about to pull the trigger when his son flips the light switch on? Okay, maybe you haven't heard that story, but the point should be taken. Wouldn't an authenticating dog have been a nice addition to that story? Wouldn't the dog add some intelligence to an otherwise dumb alarm system?

Steve's main point is something that I want my governement customers to understand. Firewalls, DMZs and many of the other solutions we've come to rely on are designed around assumptions more than 10 years old. Today's business climate calls for functionality that was unheard of 10 years ago. Today's products are capable of authenticating, inspecting content, and making decisions related to security. So why do I have customers with firewalls between two departments in a shared forest? Comfort. 

For many customers, deploying new technology is burdensome. It requires hard learning, testing and deployment only to be obsolete by the 40,000TH desktop. But if we don't start adopting new technologies to solve new business problems, our network configuration impedes progress instead of facilitating it. 

I bring this up because one of my customers is reluctant to open the ports on a firewall to allow IPSec traffic to flow from any device to any device. Their objections are:

  1. It's wide open for any machine on the Internet to launch worm attacks against my servers
  2. If I use IPSec, it disables my ability to effectively use Intrusion Detection Software
  3. IPSec doesn't protect me from a worm, the attack will just be encapsulated

My responses (which still fall on some deaf ears):

  1. An attack can only occur over IPSec if both the sender and recipient are configured for IPSec and only if they can be mutually authenticated. Since authentication is controlled by the local PKI, I find this argument invalid.
  2. IPSec can be implemented in Authentication Header (AH) mode only. This would allow IDS to continue to see the packets. However, if only authenticated packets are allowed, wouldn't communication inside ESP be considered safe anyway? Why do we need IDS to check for attacks from trusted machines?
  3. True, but what does protect you? Patching. The transport of a worm is irrelevant in preventing it. Patching is the only protection. It's not 100% safe, but historically, Microsoft has had the patches out before the attackers have the exploit release, often several months in advance. Even the most conservative environments should be capable of applying critical patches in a few weeks, which would still protect them in a majority of scenarios. 

The fact is, patching is a pain, but it's a necessary evil. It's analagous to chaging the oil in your car; it's somthing you have to do to protect your investment. Putting automation around the patching process is the single best investment a company can make from a security perspective. I have a customer with 200+ domain controllers, all part of a forest with a basic implementation of Software Update Services from Microsoft. Not a single DC has been hit by a worm in the three years they've been running SUS.

So, here's a customer unwilling to trust a patching solution that's kept them 100% safe. Instead, they want an additional level of "security" by preventing machines who are designed to talk to each other from doing so. I suppose this hits home for me, because some of the federations I work with have hundreds of administrative personnel with hundreds of opinions, skillsets, etc. It can be challenging to get some of them to look at things a new way, especially if their own interpretation of history differs from mine.