fred avolio's musings

In reading the Firewall-Wizards thread under the subject VPNmadness gets more support, I thought of a paper I wrote almost 5 years ago, entitled The Rise and Fall of Internet Security. Still relevant, and not just because I am lazy, I repost “The Seven Things to Help Keep Sanity and Equilibrium” here. No one needs to tell us how to play this tug-of-war. If we are security professionals, we are already engaged in it. How do we stay in the game, while providing security and providing usability in a way that occasionally permits us to relax? Security professionals must remember (at least) the following seven truisms.

1. We ask for requirements, they give us solutions. It is very important to listen carefully and ask questions. When someone states “We need to allow the H.323 protocol through our firewall,” they have given you a solution. You might not know whether it is the best solution, but you must recognize it for what it is and gently push back. “What is your requirement?” You see, the requirement is probably something along the lines of this: We need to easily and inexpensively audio or video conference between groups X and Y.” By giving you the “solution,” you might be forced into opening up more (perhaps insecure) services through your firewall. Their proposed “solution” might not even be the best one for the application they truly wish to employ.
2. Many requirements are wants or desires in disguise. Sometimes you may be in a position to “grant wishes,” but it is important from a security point of view to understand what are business requirements and what are not. “We need you to open up UDP port 2092.” Might really mean, “I want to play Descent3 on the network with some of my buddies.” Once you know the want or desire, if it is contrary to a security or acceptable use policy, you can explain why this request cannot be satisfied. While it won’t make Descent3 users happy to know they cant play this RPG at work, treat the user as an adult by explaining a vulnerability, threat, and consequence that gave birth to the policy (see 3 as well).
3. It all has to do with numbers. The fewer the numbers of {supported services, permitted connections, outsiders allowed in, insiders allowed out, cluelessness}, the easier securing the network will be. If every sales person (lets say 100 of them) needs access to the entire inside network (500 computers), utilizing any possible Internet service (65,000), we end up with a level 9 problem (3.25E9). If every sales person actually only needs access to send and receive e-mail and web access to the sales web server we end up with a level 2 problem (6E2). Which would you rather have to deal with, a level 2 or level 9 earthquake?
4. The more granular (specific) we can be in our security measures, the easier it will be to secure the network at least, in the long run and the easier to provide services. This follows from number 2. Many corporate interoffice firewalls are configured to allow unlimited access from one site to another. It is far better to allow open access (if required) for only the required services between the offices. This is because…
5. If you have mistakenly disabled a required service, you will hear about it. If you allow an insecure service over which someone can launch an attack, you may never know about it. This is a corollary to the axiom, “that which is not expressly permitted is prohibited.” When unsure about a service, better to disable it and incur the temporary wrath of service users than to expose your network to attack.
6. It is the responsibility of the clueful to clue in the clueless. We must remember that the clueless may and should make good and proper use of the Internet: this is a Good Thing. Simply put, it is a benefit for our jobs and our society that computers are accessible to almost anyone. People are not stupid just because they do not know that “macros” in a document running in word processor are actually programs and to be treated with suspicion. They do not have to know what is behind a web page in order to use it, but they should have enough security education your job perhaps to know when to stop and think (“Click here to infect your machine”).
7. Equilibrium is more than just good. Equilibrium is winning.