Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden

The view of the 90’s  Modems are used for remote access  The Internet is used primarily for , news and later also world wide web (www) –1994 there were 500 web servers –1995 there were 10,000 –2000 there were 30,000,000  Security? –Private modem pools are managed and regarded as secure enough –A firewall is enough to protect the network from Internet threats –1997: Question is what to buy: Stateful inspection firewall or application level firewall [Rik Farrow]

Around year 2000  Mobile devices are becoming increasingly popular –Mobility: Computers move between networks – virus problem –Software: New software follow the tracks of mobile computers –Information: Internal information can easily be transferred –Devices: USB disks and memories begin to see the world  Internal security is now being addressed –Not all devices are secure and trustworthy –Malicious software cannot be allowed to spread freely –Information cannot be trusted to all staff (“need to know”)  The firewall? –It is still probably doing its job as intended

Traditional Internal Security Other are segmented with firewalls, switches, routers and other equipment Users Servers Personal FW IDS system WLAN Firewalls Switches and Routers Many networks lack internal protection Personal firewalls protect workstations IDS systems monitor traffic

Customer support Accounting Tech.department Management ! Large networks are beginning to be partitioned

Today – Devices  Internal security is more important than ever  Mobile devices are in everyone’s possession –Devices will be moved to and from corporate networks: Laptops, USB sticks, portable disks, phones, PDAs, … –We should be able to check them before granting access –Some devices should not be allowed –Better control over internal information (authorisation, access control)  WLAN access exist on many places –Networks are extended outside the firewall –Traffic from the outside may not even pass the firewall… –Our users communicate – risk for wiretapping –Other users use them without our authorisation  VoIP will be the next thing to integrate

WLAN Customer support Accounting Tech.department Management ! ! Internal segmentation is even more important Firewall

Today and communications  The Internet has replaced modems for remote access  All users have access to mail and www –Companies without web servers do not exist –Many threats to www (scripts, malicious software, etc.)  We need to access data from other organisations –Computers used to connect to ext. systems and share data  Systems automatically connect to home servers –Software updates, anti-virus, etc. (“phone home”)  Users are located everywhere –At home, remote offices, partners, customers, etc. –Information must be shared – it’s a business enabler  Applications (e.g. p2p) can be disguised as p2p app’s –They use port 80 for “firewall friendly” access – no control

We can no longer hide behind a firewall Partners Product partners THE COMPANY Employees Contractors WLAN Access Remote officeHome workers Suppliers Consultants Outsourced resources

Many complex solutions exist… Mobile users with VPN Firewall with IPSec VPN Servers Push- system IDS Wireless Network Internal firewalls SSL VPN Internet Users Management dep’t. Product development

The problem with a Firewall-centric view Firewall Over time, the firewall will have many holes MailVPNLegacy ProxiesVoIPWebIMFirewalls

Remote access – a simple problem? Internal network Server Internet Firewall Remote user “VPN tunnel” Corporate network

This is the same picture! Internal network Server Internet Firewall Remote user Corporate network

This is what we the firewall implements…

But once you are on the inside… It used to be a modem… Now we have: Mobile computers USB memories PDA:s Software Remote execution Internet access Remote access WLAN, 3G access www p2p VoIP mail, viruses hacking tools personal firewalls outsourced administration etc.

Protection must be where the assets are Protection at the source  It does not matter how you got to the inside!

This would be easy to implement – provided...  Each application server and client can protect itself  There’s central authentication system for all users –Applications should not have to deal with authentication  And a distributed authorisation system –Each project (data owner) can decide who can do what –User roles must depend on authentication method, user’s role, type of device, client location, time of day, etc.  Applications are only visible to authorised users Then:  No perimeter firewall would be needed (we would still keep it)  No difference between local access and remote access!  It would not even be necessary to have an internal network!

NAC – Network Access Control  Goal: check the connecting device before granting network access –Non-accepted devices can be connected to quarantine- networks where they can update software, etc. –Some products may support identity-based access control to networks  Emerging technology initiated by many vendors: –But with different names (McAfee, Microsoft, Symantec, Cisco, …)

NAC – Network Access Control  An interesting approach –Vendor approach to solve the problem with disappearing network boundaries –Means that the problems mentioned here are recognised  Requires an infrastructure on the network which implements the protection –Protection is enforced by the network, not the end devices –Does not enable secure end-to-end communication with mutual authentication –May mean we get more point products to manage…

Network Access Control (NAC)  NAC is complicated: –Checks whether endpoints meet security policies and updates configurations –Checks for and isolates endpoints and users that have made it onto the network and seem to be breaching security policies  Management is done from different platforms depending on device and access type –RAS policies would be enforced by a VPN gateway –LAN user access enforced by switches and similar equipment –Does not offer mutual trust – just checking the connecting device

 Forrester believes NAC is not the future –Next version is PERM - proactive endpoint risk management –“Policy-based software technology that manage risk by integrating endpoint security, access control, identity and configuration management.” Network Access Control (NAC)

What is de-perimeterisation?  Move security control closer to the source – to the end-points  Be in total control of all users’ access rights  Be in control of the connecting device  Add policies that dictate how and under what circumstances each user can access each service  Make access ”seamless” and base it on cooperation between applications and users and the use of secure protocols (short version of the Jericho Forum approach)

Move protection closer to application servers

The Jericho Forum Blueprint  In a de-perimeterised world companies will have more systems not connecting to “their” network, but transacting via inherently secure protocols  Tools: encryption, secure protocols, secure computer systems and data-level authentication  User access can be granted based on his/her identity, authentication strength, location, time, type of device, etc.

Full de-perimeterised working Full Internet-based Collaboration Consumerisation [Cheap IP based devices] Limited Internet-based Collaboration External Working VPN based External collaboration [Private connections] Internet Connectivity Web, , Telnet, FTP Connectivity for Internet Connected LANs interoperating protocols Local Area Networks Islands by technology Stand-alone Computing [Mainframe, Mini, PC’s] Time Connectivity Drivers: Low cost and feature rich devices Drivers: B2B & B2C integration, flexibility, M&A Drivers: Cost, flexibility, faster working Today Drivers: Outsourcing and off-shoring Effective breakdown of perimeter