Republished with permission from WatchGuard Technologies, Inc.
The Ordo Cautela: Steps to Security
Fred Avolio, Avolio Consulting, Inc., www.avolio.com
The Christian reformer Martin Luther created
a revolutionary principle called the "ordo salutis" --
the order of salvation as applied to the sinful soul. The
"ordo" provided a structured way to discuss and consider
a very complex topic. In this article, I intend to describe the
"ordo cautela" -- the order or steps to security. My
assertions shouldn't cause the fuss that Luther's did, but just
as disagreements over what constitutes the ordo salutis have
persisted throughout the history of the Christian church, there
will be those who disagree with particulars I lay out here. Just
the same, I believe there is a logical order to security deployment.
Knowing that order will help us ask the right questions, at the
right times, and give us direction on moving forward. And direction
is definitely needed.
De Rerum Natura
Every security practitioner will tell you
that in order to have security that works, you must have a security
policy. And some companies do. Many do not. Many that do have one,
do not have one that is up-to-date, relevant, and matches reality.
For other businesses, the first inkling of a security policy was
conceived the day they installed their first firewall.
Most businesses view installed mechanisms
such as firewalls and desktop anti-virus software as being security
itself, rather than being part of a security infrastructure. The
thought is, "We have a firewall; therefore we are secure."
But a security tool in and of itself is not necessarily secure. Firewall configurations
change to match user wants masquerading as business requirements.
Is the firewall configured properly? Is our anti-virus database
up-to-date? Are our web servers sufficiently protected? We aren't
sure. Sometimes we'd rather not ask; it's too much like opening
an "ordo cautela" will provide a way of managing the
complexities. Even if it turns out not to be perfect, it's far
better than nothing. So the following is my recommended ordo
The first step is an analysis of the services that are required
for business. This is where we discover what is required for the
business to accomplish its mission, and then dig deeper and figure
out how those things required can be provided. (Beware. The hard
part is distinguishing wants from needs. Not only do we find it
hard to differentiate the two, but we also have a tendency to
mistake solutions for requirements. "We need port 2092 opened
on the firewall" is a solution. The user's "need"
is more accurately stated, "I want to play Descent3 over the
Internet and the firewall is in the way.")
2. Risk analysis. This is also sometimes called
vulnerability analysis or threat assessment. This is where we
identify the things we want to protect. These include highly
tangible things (web sites, personnel records, product plans), as
well as the less tangible (corporate image, branding, credibility).
We also postulate threats, assess vulnerabilities, and decide if
the cost of protection is worth the benefit. This is the part that scares many people off. Working
through risk analysis with insight and depth may require outside
expertise, but anyone involved in an enterprise's network security
group should be able to make a good start.
3. Security policy.
The security policy specifies allowed and denied behavior. It
lists controls (such as Internet firewalls) that are in place to
meet the business needs dictated by the business requirements
analysis, and the security needs dictated by the risk analysis.
This is where those two come together, and where differences are
reconciled. The finished security policy tells us not only that
we need a Firebox (for example), but also how it should be
Deployment. The security policy, with
accompanying procedures, addresses mechanisms to deploy and where
to deploy them. It has to cover:
We also want to verify that the actual
deployment matches what is dictated by the business requirements
and the risk analysis as married in the security policy.
5. Review and
Ever notice the directions found on many shampoo bottles?
"Lather, rinse, repeat." To the programmer, it constitutes
an endless loop. In this case, though, we do want an endless loop.
Threats change, vulnerabilities change, bad guys get "badder."
Technologies of defense change constantly. Business requirements
change as fast as the Internet offers up new services. So, periodic reevaluation
is my suggested ordo cautela. In a perfect world, we'd follow
these steps in order. But then in a perfect world, we'd not have
to worry about network attackers.
Okay, suppose you've already deployed your
firewall, you've got remote users dialing in, but you're not quite
sure why some of the exceptions in your security implementation
are there. That's okay. Not only is security a never-ending process;
it is also one that you can join at any time. Will you get it
perfect? Of course not. But that goes hand in hand with the security
adages, "There is no such thing as 'complete security' in a
usable system," and, "Security is not a static end state,
it is an interactive process."
Here's another relevant adage: "Concentrate
on known and probable threats." Do what you can do today,
continue to review and evaluate, keep track of what is left undone,
and you will move your organization (or at least its network)
toward greater and more easily managed security. And someday, if
hackers try something hellish on your network, who knows? --you
might find that following this "ordo" was your salvation.
article on best practices in policy development:
and web sites to help you develop security policies and
and Internet Security: Repelling the Wily Hacker,
Cheswick and Steve Bellovin. Addison-Wesley, June 1994.
Designing Systems for Internet
Treese and Larry Stewart, Addison-Wesley, 1998.
Web Security Sourcebook,
Rubin, Daniel Geer and Marcus Ranum. Wiley Computer Publishing,
Information Warfare and Security,
Denning. Addison-Wesley, 1999.
Information Security: Policies and Procedures
-- A Practitioner's Reference,
R. Peltier. CRC Press, Auerbach Publications, December 1998.
Information Systems Security Officer's Guide: Establishing and
Managing an Information Protection Program,
Gerald Kovacich. Butterworth-Heinemann, May
SANS Institute security policies, course notes:
Various papers and editorials about security
practices and products:
Computer Security Institute (CSI), http://www.gocsi.com/
Software tools, information archives, research
Project COAST (Computer Operations, Audit
and Security Technology), Purdue University, http://www.cerias.purdue.edu/coast/