I will expand on this at a later date, however the possibility of _not_ just using QOS as a marking and dropping mechanism for malicious packets, but using it as a fingerprint and trust mechanism for hosts is appealing.
By using a specific subset of DSCP values, marked by a 'trusted' host's binary, a QOS fingerprint of perhaps a few DSCP values may be used by a network to permit packets to traverse the network. Each organisations network would have a different DSCP fingerprint making it even harder for malicious binaries to arbitrarily spread using standard packets.
The concept of trust may need to be addressed via some form of NAC ( Network Admission Control ) and this becomes tightly coupled with the concept of a well developed and understood SOE ( Standard Operating Environment ).
Having a 'Scavenger' class at your disposal is handy from a QOS perspective also as it allows you to protect the 'Control Plane' of the network from DSCP values you are unsure of also.
So you either explicitly drop anything not in your DSCP fingerprint, or place in a 'Scavenger' class that cannot harm your network, albeit it could be a malicious packet that exploits your next host!
Maybe even cycle the markings in a sequential manner e.g. a rotating key based system....
Wednesday, July 26, 2006
Saturday, June 17, 2006
BYO RFC
'Risk in a Box': IP Bubblewrap 
A technology risk framework and data visualisation methodology for an IP organisation based upon empirical data, end to end flow / type, control / data planes, connectedness, trust levels, *known* vulnerabilities and threats. This framework hopes to assist individuals and organisations quantify risks to an IP infrastructure and services by enumerating current traffic and threats, rather than a 'perception' of risk and threat in relation to the unknown, which incidentally, is infinite and unquantifiable with the elapsing of time.
The author hopes to help foster, more so, an enumeration and enablement of the positive or 'valid' data/services in extreme or unforeseen circumstances, rather than attempting to enumerate the unknown or 'invalid' negative conditions. However, enumerating the *currently* known negative will help to quantify and frame technology risk overall. Due to the challenges of complexity, a very generic breakdown will be applied which will hopefully be improved upon and refined in the future. The focus is on the actual flows, relationships, dependencies and interfaces to IP services, rather than on specific valuation of data at rest.
Aside: From the title the term 'IP' may be used to represent either, 'Internet Protocol' or 'Information Protection', but not 'Intellectual Property', and is used in the 'Internet Protocol' terminology throughout this paper.
Technology risk is viewed as a subset of overall business risk and may be attributed different weightings based upon an organisation or individuals perception of their reliance upon certain technology areas.
Problem Statement
==================
The complexity and velocity of information technology in IP enabled organisations is such that irrespective of dimensioning and design, the majority of organisations face similar challenges relating to information based asset classification and information protection; thanks mainly to the underlying intricacy of protocols, node relationships, operating systems, applications etc. and the management, operation, integrity and stability of all of the above.
Unfortunately from the macro-organisational view it can be hard to prioritise information flows and services , as different groups or individuals may not posses enough knowledge about the transports and technologies that enable their distinct applications or business processes. This in turn leads to a sub-optimal allocation of resources and / or a skewed view of the organisations IP enabled world. It is very easy to see the end result of a product or new application, but very hard to see the intrinsic use of the IP network, operating systems and dependencies upon which, enable the actual operation and availability of said application or product.
From the micro-view, a single entry in a logfile, a certain vulnerability, attack or potential loss in data integrity may cause catastrophic consequences to the ability of an organisation to operate effectively or in some cases even at all. Some circumstances may result in either systematic degradation of service over time and others in immediately quantifiable revenue loss (albeit generally not with any form of guaranteed accuracy).
There exists no common or easily applied methodology or framework to help contextualise the connectedness, dependencies, threats and risks to an organisation which finds itself heavily dependent upon IP based services.
Overview
========
Certainly different individuals ( be they IT management, IT executive or not.. ) may attribute different values to information assets, however common or shared infrastructure, protocols, services and/or data have more far-reaching consequences to an organisations function and ongoing stable operations than they may initially be privy to. It is with this understanding that a baseline or sliding window must be established across an organisation to facilitate macro classification of services, data and nodes. It should be noted this is only one way to interpret and view an IP enabled organisation.
Nodes
=====
a) transit / infrastructure node
( Routers, firewalls, load balancers, VPN concentrators, GGSN, MMSC, IDP, or anything that facilitates a flow between endpoints. Traffic may be generated by a 'transit node' for the purposes of management, reporting etc however these flows should be attributed to (c) below... this node type includes nodes that store related configuration and management data e.g Network Management Systems / MOMs / OSS )
IT workers laptops and desktops are defined as type (a) nodes as they are viewed as supporting and adding value to the infrastructure and services, as are servers running services such as Active Directory, Native LDAP, DNS etc...
b) endpoint / business node
( Customers, clients, servers or any standard end to end connectivity / flow that terminates or generates explicitly business or revenue related traffic. These nodes should not be related to the operation, management and reporting functionalities of the underlying infrastructure or network... and do include nodes that store related billing, company financial, customer, ordering / provisioning data etc )
Services
========
c) infrastructure control and protocols ( business infrastructure and process support )
( BGP/OSPF/EIGRP/MPLS suite/RIP/DNS/NTP/SYSLOG/LDAP/Radius/SSH(SFTP/SCP)*/TELNET/TFTP/FTP/SNMP/RPC/ICMP/SIP/H323... )
d) data / payload and protocols. ( business product / service / customer / transaction information related )
( SMTP, HTTP, HTTPS, FTP, Radius, SSH(SFTP/SCP)*, NFS, CIFS, SQL based, Mediation / Billing based, CRM based, ERP based, Financial / HR based )
With the above in mind, a node of type (a) may facilitate services or data of type (c) and / or (d) but should only generate (c) itself. A node (b) should only facilitate services and data of type (d), though may generate its own infrastructure traffic (c) such as SNMP traps, Syslog, authentication traffic and standard name resolution protocols etc.
More granularity will be introduced at a later date for protocol types assigned to service types (c) and (d) which can be weighted to influence metrics. Tunnelled protocols may be viewed as separate flows during and after encapsulation, and would be attributed similar values unless transiting different 'trust' basis. ( See 'Trust' section. )
* Note: the author would like to express the desire to be able to tag traffic with a 16 character word rather than just DSCP / MPLS labels and hopes that with the increase in 'Service Orientated Architectures' that protocols such as the ones used by Tibco may be 'peered' in to by IPFIX based flow reporting for example. An application that could prefix or mark itself in the actual payload in clear text with a 'subject' which may be matched via something like FPM ( Flexible Packet Matching ) and treated uniquely by the network would be believed to be beneficial.
Control (Infrastructure) plane / Payload (Data) plane
=====================================================
As the 'Risk in a Box' framework views the nodes and services breakdown, the question is 'where do they fit?'. From a business context it is here that one may view the IP enabled organisation in two operational planes.
1. The "Payload" plane containing (b) - endpoint / business nodes and (d) data / payload services
2. The "Control" plane containing (a) transit / infrastructure nodes and (c) infrastructure services
Trust
=====
The concept of 'trust' is to be applied to different IP segments and / or hosts based upon their overall IP reachability, posture, user / systems access and can be somewhat qualitative though needn't be.
There exists three trust domains that should be assigned by those knowledgeable of the organisations overall IT architecture:
1. Trusted ( e.g. internal only services and networks on which only trusted employees or systems operate upon, Intranet etc. )
2. Semi-Trusted
3. Un-Trusted ( e.g. Internet etc )
Many may disagree here and say that some if not all segments and hosts should be treated as 'un-trusted', however this is not the reality we find ourselves occupying and with 'defense in depth' strategies and layered security models, certain factors including cost, resources, technology and expertees dictate trade-offs such that hosts or networks are viewed in these categories or treated as such.
Connectedness and Importance (CI)
=================================
Value (CI) 0-1
Inherent in the degree of connectedness is indeed an intrinsic measure of value, but residing moreso in the context and frequency of transiting or terminating flows. This quantification applies more accurately to controlled or trusted organisational segments as only valid business traffic should exist on the aforementioned 'Control plane' and 'Payload plane'.
Entropy may be increased for nodes facing 'non-trusted' segments like the Internet, or Extranet paths that do not invoke rate-limiting or QOS when required.
Example argument: something like a 'flash crowd' to some piece of static content on a web server may not actually increase the value of an access/border gateway router or firewall that carries no real service of type (d) business product / service. It would however highlight a delta in traffic and a possible DOS ( Denial of Service ) condition to any other services that utilised that shared connectivity path such as external DNS resolution. Theoretically at any time the maximum number of flows either to or transiting a device is constrained by a combination of factors such as total IP host reachability, upstream bandwidth and resources in servicing such IP flows from a CPU, memory and hardware perspective. This may temporarily raise the importance metric enough to warrant attention or to highlight the need for certain corrective measures.
From the 'Control plane' it is possible to extract flow information regarding all endpoint IP enabled devices, their unique and common relationships, flow types and frequencies. This facilitation of flows highlights the importance of the 'Control plane' and the degree of connectedness is most easily, accurately and economically drawn from 'flow' enabled nodes of type (a). Flows may be garnered from nodes of type (b) with host agents such as Argus etc but can be platform specific and do not scale as easily. In future, off-box, auditable host flow records may be warranted / recommended. For more information about IPFIX or flows please view RFC 3917.
For the moment the concept of the number of flows transiting a node of type (a) shall give it increased value over an assigned base value. The additional value of the type (a) node shall be calculated by virtue of the number and frequency of type (c) and (d) flows with weightings being attributed accordingly. ( as they undoubtedly will differ per organisation and associated usage of non-standard or arbitrary high ports. This will be discussed in detail at a later stage and also depends upon positioning and trust values. )
Nodes of type (b), be they server or client may also be attributed a base value and assigned additional value by virtue of the number and frequency of type (c) and (d) flows they entertain. Naturally a server should host more sessions than a client, be they client to server authentication, server to server traffic, or server to database etc. Should a client side device be experiencing high volumes of *valid* traffic then it may highlight the actual importance of the function of that client machine be they user or automated sessions. This may also help to highlight devices that should be deemed as servers and treated as such or some other anomalous or non-acceptable/invalid use or traffic. There will always be exceptions to this rule.
Aside: an 'End System Multicast' or legitimate 'Peer to Peer' application may break this concept though multicast should be a distinct address range and the legitimate Peer to Peer traffic may be re-classified in to a less weighted flow type. Auto-discovery and port scanning nodes should be known in advance and should be a special case of type (a) nodes, anything else would suggest 'invalid / negative' traffic and should a workstation peak in terms of flow frequency, it would be deemed grounds for investigation.
k = total classifications of C flows decided upon in terms of priority where k is a whole number and x=1 is the most important flow or flow group.
s = total classifications of D flows decided upon in terms of priority where s is a whole number and x=1 is the most important flow or flow group.
Table 1 ( Partial) :
---------------------------------------
C Flows weighting( Classification/Priority x = {1..k} )
c(x) = k / ( x² + k )
D Flows weighting ( Classification/Priority x = {1..s} )
d(x) = s / ( x² + s )
----------------------------------------
z(c1) = number of C1 priority flows per time period 't' in seconds where z is a number between 0 and ? ( hmmm, problems with upper bounds.. )
z(d1) = number of D1 priority flows per time period 't' in seconds where z is a number between 0 and ? ( hmmm, problems with upper bounds.. )
It is recommended that 't' is set low initially ~ 1 week.
Payload plane node: Connectedness / Importance (CI) = not sure of my maths here yet but some sort of integral over a set!
Control plane node: Connectedness / Importance (CI ) = not sure of my maths here yet but some sort of integral over a set!
Vulnerabilties and Threats (VT)
===============================
Value (VT) 0-1
Without re-inventing the wheel the http://www.first.org/ CVSS ( Common Vulnerability Scoring System ) shall be used as a metric to help enumerate known vulnerabilities in the organisation. The vulnerability / threat concept shall be that of a 0-1 value and may have other properties based upon the 'Trust' level as viewed by the organisation.
Actually relating these metrics to the organisation will require a 'Vulnerability Assessment' of sorts, which may be in the form of an automated tool or manual process. It is hoped that calcuations may be done automatically in the future based upon some form of 'risk' or correlation engine that can take feeds from CVSS enabled vulnerability scanners. It is recommended that a vulnerability scanner should be given ubiquitous access to segments either locally or such that if future ACL of FW changes occur all known/existing vulnerabilities are still capable of being enumerated. It should be noted that vulnerability scanning contains risks of its own regarding stability and availability. Such scanners would be treated as type (a) nodes.
IDS/IDP/IPS may also feed in to these figures as confirmation and escalation of threat levels.
A known vulnerability or multiple vulnerabilities for a node generates a (V) value, that is multiplied should the trust profile and/or known flows, posture or IDS confirm the threat (T).
Data Visualisation 'IP Bubblewrap'
==================================
The concept is that of a 3D / isometric cube which plots two distinct planes made up of equi-sized bubbles ( a 'bubblewrap' malleable plane each if you will... ) Bubbles may be considered as individual nodes, but more generally will be groups of nodes with similar connectedness / flows / posture / or IP prefixes. Bubbles shall attempt to cling together ( e.g. have some form of stickiness ) to provide a single viewable plane, but when queried directly will represent exact figures.
The Control plane [type (a) nodes/groups] starts as one horizontal plane at the base of the cube , and the Payload plane [type (b) nodes/groups] is another horizontal plane starting at the middle, thus the cube is sub-divided horizontally in to a Control space and Payload space. All values vary between 0 and 1 and as such the actual planes that may be inhabited form two short, squat vertical cylinders.
The four sides of the cube represent 'Trust' levels e.g. 2x Trusted(opposite), 1x Semi-Trusted and 1x Un-Trusted - which allow for ( the majority of which should be ) 'trusted' hosts, but may be skewed towards the 'non-trusted' or 'semi-trusted' to be graphed along a diagonal border of two zones for visual purposes.
Distance from the cubes sides to the centrepoint horizontally are considered measures of connectedness and importance (CI). The closer to the center a bubble is, defines more connected and more important, whereas towards the edge defines less connected and less important. A node may have thousands of flows per second which may not be of any major importance to the business, or a host may have few flows of major importance to the business.
Risk is calculated as the inverse of the distance between the node and the apex of the cube/cyclinder and is a value between 1 - 100.
Basically the closer to the centre of the cube and the higher, the greater the risk.
Multiple views may be taken and filtered upon, including a node or 'bubble' in the Payload plane that has a relationships or reliance with nodes on the Control plane. This can be easily addressed via flows and / or SNMP with normal topological data, but would correlate risk very quickly and give good visual interpretations thereof. Also most topological data uses graphs to visualise, but as this is a risk map two 'bubbles' [type (b) nodes or groups] may sit next to each other, even touch but not have direct connectivity. They may only speak down to the Control plane and back up to the Payload plane ( unless similar segments with different risk ratings ).
Risk
====
Risk = 1 ÷ √ ( ( 1 - VT )² + ( CI )² )
A technology risk framework and data visualisation methodology for an IP organisation based upon empirical data, end to end flow / type, control / data planes, connectedness, trust levels, *known* vulnerabilities and threats. This framework hopes to assist individuals and organisations quantify risks to an IP infrastructure and services by enumerating current traffic and threats, rather than a 'perception' of risk and threat in relation to the unknown, which incidentally, is infinite and unquantifiable with the elapsing of time.
The author hopes to help foster, more so, an enumeration and enablement of the positive or 'valid' data/services in extreme or unforeseen circumstances, rather than attempting to enumerate the unknown or 'invalid' negative conditions. However, enumerating the *currently* known negative will help to quantify and frame technology risk overall. Due to the challenges of complexity, a very generic breakdown will be applied which will hopefully be improved upon and refined in the future. The focus is on the actual flows, relationships, dependencies and interfaces to IP services, rather than on specific valuation of data at rest.
Aside: From the title the term 'IP' may be used to represent either, 'Internet Protocol' or 'Information Protection', but not 'Intellectual Property', and is used in the 'Internet Protocol' terminology throughout this paper.
Technology risk is viewed as a subset of overall business risk and may be attributed different weightings based upon an organisation or individuals perception of their reliance upon certain technology areas.
Problem Statement
==================
The complexity and velocity of information technology in IP enabled organisations is such that irrespective of dimensioning and design, the majority of organisations face similar challenges relating to information based asset classification and information protection; thanks mainly to the underlying intricacy of protocols, node relationships, operating systems, applications etc. and the management, operation, integrity and stability of all of the above.
Unfortunately from the macro-organisational view it can be hard to prioritise information flows and services , as different groups or individuals may not posses enough knowledge about the transports and technologies that enable their distinct applications or business processes. This in turn leads to a sub-optimal allocation of resources and / or a skewed view of the organisations IP enabled world. It is very easy to see the end result of a product or new application, but very hard to see the intrinsic use of the IP network, operating systems and dependencies upon which, enable the actual operation and availability of said application or product.
From the micro-view, a single entry in a logfile, a certain vulnerability, attack or potential loss in data integrity may cause catastrophic consequences to the ability of an organisation to operate effectively or in some cases even at all. Some circumstances may result in either systematic degradation of service over time and others in immediately quantifiable revenue loss (albeit generally not with any form of guaranteed accuracy).
There exists no common or easily applied methodology or framework to help contextualise the connectedness, dependencies, threats and risks to an organisation which finds itself heavily dependent upon IP based services.
Overview
========
Certainly different individuals ( be they IT management, IT executive or not.. ) may attribute different values to information assets, however common or shared infrastructure, protocols, services and/or data have more far-reaching consequences to an organisations function and ongoing stable operations than they may initially be privy to. It is with this understanding that a baseline or sliding window must be established across an organisation to facilitate macro classification of services, data and nodes. It should be noted this is only one way to interpret and view an IP enabled organisation.
Nodes
=====
a) transit / infrastructure node
( Routers, firewalls, load balancers, VPN concentrators, GGSN, MMSC, IDP, or anything that facilitates a flow between endpoints. Traffic may be generated by a 'transit node' for the purposes of management, reporting etc however these flows should be attributed to (c) below... this node type includes nodes that store related configuration and management data e.g Network Management Systems / MOMs / OSS )
IT workers laptops and desktops are defined as type (a) nodes as they are viewed as supporting and adding value to the infrastructure and services, as are servers running services such as Active Directory, Native LDAP, DNS etc...
b) endpoint / business node
( Customers, clients, servers or any standard end to end connectivity / flow that terminates or generates explicitly business or revenue related traffic. These nodes should not be related to the operation, management and reporting functionalities of the underlying infrastructure or network... and do include nodes that store related billing, company financial, customer, ordering / provisioning data etc )
Services
========
c) infrastructure control and protocols ( business infrastructure and process support )
( BGP/OSPF/EIGRP/MPLS suite/RIP/DNS/NTP/SYSLOG/LDAP/Radius/SSH(SFTP/SCP)*/TELNET/TFTP/FTP/SNMP/RPC/ICMP/SIP/H323... )
d) data / payload and protocols. ( business product / service / customer / transaction information related )
( SMTP, HTTP, HTTPS, FTP, Radius, SSH(SFTP/SCP)*, NFS, CIFS, SQL based, Mediation / Billing based, CRM based, ERP based, Financial / HR based )
With the above in mind, a node of type (a) may facilitate services or data of type (c) and / or (d) but should only generate (c) itself. A node (b) should only facilitate services and data of type (d), though may generate its own infrastructure traffic (c) such as SNMP traps, Syslog, authentication traffic and standard name resolution protocols etc.
More granularity will be introduced at a later date for protocol types assigned to service types (c) and (d) which can be weighted to influence metrics. Tunnelled protocols may be viewed as separate flows during and after encapsulation, and would be attributed similar values unless transiting different 'trust' basis. ( See 'Trust' section. )
* Note: the author would like to express the desire to be able to tag traffic with a 16 character word rather than just DSCP / MPLS labels and hopes that with the increase in 'Service Orientated Architectures' that protocols such as the ones used by Tibco may be 'peered' in to by IPFIX based flow reporting for example. An application that could prefix or mark itself in the actual payload in clear text with a 'subject' which may be matched via something like FPM ( Flexible Packet Matching ) and treated uniquely by the network would be believed to be beneficial.
Control (Infrastructure) plane / Payload (Data) plane
=====================================================
As the 'Risk in a Box' framework views the nodes and services breakdown, the question is 'where do they fit?'. From a business context it is here that one may view the IP enabled organisation in two operational planes.
1. The "Payload" plane containing (b) - endpoint / business nodes and (d) data / payload services
2. The "Control" plane containing (a) transit / infrastructure nodes and (c) infrastructure services
Trust
=====
The concept of 'trust' is to be applied to different IP segments and / or hosts based upon their overall IP reachability, posture, user / systems access and can be somewhat qualitative though needn't be.
There exists three trust domains that should be assigned by those knowledgeable of the organisations overall IT architecture:
1. Trusted ( e.g. internal only services and networks on which only trusted employees or systems operate upon, Intranet etc. )
2. Semi-Trusted
3. Un-Trusted ( e.g. Internet etc )
Many may disagree here and say that some if not all segments and hosts should be treated as 'un-trusted', however this is not the reality we find ourselves occupying and with 'defense in depth' strategies and layered security models, certain factors including cost, resources, technology and expertees dictate trade-offs such that hosts or networks are viewed in these categories or treated as such.
Connectedness and Importance (CI)
=================================
Value (CI) 0-1
Inherent in the degree of connectedness is indeed an intrinsic measure of value, but residing moreso in the context and frequency of transiting or terminating flows. This quantification applies more accurately to controlled or trusted organisational segments as only valid business traffic should exist on the aforementioned 'Control plane' and 'Payload plane'.
Entropy may be increased for nodes facing 'non-trusted' segments like the Internet, or Extranet paths that do not invoke rate-limiting or QOS when required.
Example argument: something like a 'flash crowd' to some piece of static content on a web server may not actually increase the value of an access/border gateway router or firewall that carries no real service of type (d) business product / service. It would however highlight a delta in traffic and a possible DOS ( Denial of Service ) condition to any other services that utilised that shared connectivity path such as external DNS resolution. Theoretically at any time the maximum number of flows either to or transiting a device is constrained by a combination of factors such as total IP host reachability, upstream bandwidth and resources in servicing such IP flows from a CPU, memory and hardware perspective. This may temporarily raise the importance metric enough to warrant attention or to highlight the need for certain corrective measures.
From the 'Control plane' it is possible to extract flow information regarding all endpoint IP enabled devices, their unique and common relationships, flow types and frequencies. This facilitation of flows highlights the importance of the 'Control plane' and the degree of connectedness is most easily, accurately and economically drawn from 'flow' enabled nodes of type (a). Flows may be garnered from nodes of type (b) with host agents such as Argus etc but can be platform specific and do not scale as easily. In future, off-box, auditable host flow records may be warranted / recommended. For more information about IPFIX or flows please view RFC 3917.
For the moment the concept of the number of flows transiting a node of type (a) shall give it increased value over an assigned base value. The additional value of the type (a) node shall be calculated by virtue of the number and frequency of type (c) and (d) flows with weightings being attributed accordingly. ( as they undoubtedly will differ per organisation and associated usage of non-standard or arbitrary high ports. This will be discussed in detail at a later stage and also depends upon positioning and trust values. )
Nodes of type (b), be they server or client may also be attributed a base value and assigned additional value by virtue of the number and frequency of type (c) and (d) flows they entertain. Naturally a server should host more sessions than a client, be they client to server authentication, server to server traffic, or server to database etc. Should a client side device be experiencing high volumes of *valid* traffic then it may highlight the actual importance of the function of that client machine be they user or automated sessions. This may also help to highlight devices that should be deemed as servers and treated as such or some other anomalous or non-acceptable/invalid use or traffic. There will always be exceptions to this rule.
Aside: an 'End System Multicast' or legitimate 'Peer to Peer' application may break this concept though multicast should be a distinct address range and the legitimate Peer to Peer traffic may be re-classified in to a less weighted flow type. Auto-discovery and port scanning nodes should be known in advance and should be a special case of type (a) nodes, anything else would suggest 'invalid / negative' traffic and should a workstation peak in terms of flow frequency, it would be deemed grounds for investigation.
k = total classifications of C flows decided upon in terms of priority where k is a whole number and x=1 is the most important flow or flow group.
s = total classifications of D flows decided upon in terms of priority where s is a whole number and x=1 is the most important flow or flow group.
Table 1 ( Partial) :
---------------------------------------
C Flows weighting( Classification/Priority x = {1..k} )
c(x) = k / ( x² + k )
D Flows weighting ( Classification/Priority x = {1..s} )
d(x) = s / ( x² + s )
----------------------------------------
z(c1) = number of C1 priority flows per time period 't' in seconds where z is a number between 0 and ? ( hmmm, problems with upper bounds.. )
z(d1) = number of D1 priority flows per time period 't' in seconds where z is a number between 0 and ? ( hmmm, problems with upper bounds.. )
It is recommended that 't' is set low initially ~ 1 week.
Payload plane node: Connectedness / Importance (CI) = not sure of my maths here yet but some sort of integral over a set!
Control plane node: Connectedness / Importance (CI ) = not sure of my maths here yet but some sort of integral over a set!
Vulnerabilties and Threats (VT)
===============================
Value (VT) 0-1
Without re-inventing the wheel the http://www.first.org/ CVSS ( Common Vulnerability Scoring System ) shall be used as a metric to help enumerate known vulnerabilities in the organisation. The vulnerability / threat concept shall be that of a 0-1 value and may have other properties based upon the 'Trust' level as viewed by the organisation.
Actually relating these metrics to the organisation will require a 'Vulnerability Assessment' of sorts, which may be in the form of an automated tool or manual process. It is hoped that calcuations may be done automatically in the future based upon some form of 'risk' or correlation engine that can take feeds from CVSS enabled vulnerability scanners. It is recommended that a vulnerability scanner should be given ubiquitous access to segments either locally or such that if future ACL of FW changes occur all known/existing vulnerabilities are still capable of being enumerated. It should be noted that vulnerability scanning contains risks of its own regarding stability and availability. Such scanners would be treated as type (a) nodes.
IDS/IDP/IPS may also feed in to these figures as confirmation and escalation of threat levels.
A known vulnerability or multiple vulnerabilities for a node generates a (V) value, that is multiplied should the trust profile and/or known flows, posture or IDS confirm the threat (T).
Data Visualisation 'IP Bubblewrap'
==================================
The concept is that of a 3D / isometric cube which plots two distinct planes made up of equi-sized bubbles ( a 'bubblewrap' malleable plane each if you will... ) Bubbles may be considered as individual nodes, but more generally will be groups of nodes with similar connectedness / flows / posture / or IP prefixes. Bubbles shall attempt to cling together ( e.g. have some form of stickiness ) to provide a single viewable plane, but when queried directly will represent exact figures.
The Control plane [type (a) nodes/groups] starts as one horizontal plane at the base of the cube , and the Payload plane [type (b) nodes/groups] is another horizontal plane starting at the middle, thus the cube is sub-divided horizontally in to a Control space and Payload space. All values vary between 0 and 1 and as such the actual planes that may be inhabited form two short, squat vertical cylinders.
The four sides of the cube represent 'Trust' levels e.g. 2x Trusted(opposite), 1x Semi-Trusted and 1x Un-Trusted - which allow for ( the majority of which should be ) 'trusted' hosts, but may be skewed towards the 'non-trusted' or 'semi-trusted' to be graphed along a diagonal border of two zones for visual purposes.
Distance from the cubes sides to the centrepoint horizontally are considered measures of connectedness and importance (CI). The closer to the center a bubble is, defines more connected and more important, whereas towards the edge defines less connected and less important. A node may have thousands of flows per second which may not be of any major importance to the business, or a host may have few flows of major importance to the business.
Risk is calculated as the inverse of the distance between the node and the apex of the cube/cyclinder and is a value between 1 - 100.
Basically the closer to the centre of the cube and the higher, the greater the risk.
Multiple views may be taken and filtered upon, including a node or 'bubble' in the Payload plane that has a relationships or reliance with nodes on the Control plane. This can be easily addressed via flows and / or SNMP with normal topological data, but would correlate risk very quickly and give good visual interpretations thereof. Also most topological data uses graphs to visualise, but as this is a risk map two 'bubbles' [type (b) nodes or groups] may sit next to each other, even touch but not have direct connectivity. They may only speak down to the Control plane and back up to the Payload plane ( unless similar segments with different risk ratings ).
Risk
====
Risk = 1 ÷ √ ( ( 1 - VT )² + ( CI )² )
Thursday, June 08, 2006
Looking forward?
So what about IPv6's innate ability to source-route? Perhaps it could allow for the types of 'sinkhole' discussed below, such that a valid / active node on the network would opt-in to route through a 'security gateway'.. everyone else is deemed bad?
Just a thought... don't shoot the messenger!
Just a thought... don't shoot the messenger!
Monday, June 05, 2006
Why can't I have my 'Intelligent Packets' and eat them too?
This may sound like a form of network DRM.. however let's motor on shall we?
Idea I: could an app call the local host TCP implementation ( An addtional API/feature? ) to write a bit to the TCP header similar to TOS/DSCP/Precedence to define the *Confidentiality* or *Useability* of a packet and would it be honored in transit or at the endpoint? Could you just reserve an existing 'Class'? or have you used them all already? Is IPnIP a possibility for 'intelligent packets' or must it be an 'intelligent network'? Does this all go out the window with IPv6 or should we be building more security in to the type of data object with our v6 stacks and be more in synch with our 'shrinking permieters' ?
Idea II: Why not use intentional enterprise 'sinkholes' to achieve TIA ( Total Information Awareness ) on your cores.. and watch everything realtime? Lots of negatives here but bear with me a minute.. more for Enterprise than Telco...
Over-ride the standard default route, or force edge traffic to the regional or local core first... whereupon you can watch and/or look at session data? It would be too hard to change hosts default gateways and not practical/achievable anyway. Why not turn the IDS / Sniffing mentality inside out? Force the traffic to high bandwidth cores for inspection cleaning/recording/scrubbing? Combine it with edge IPFIX/Flows? Cmon' BW is not a problem anymore, only in ASIAPAC ;)
For real life examples ( only from a 'billing' perspective.. ) Cisco's Intelligent Service Solution:
http://www.cisco.com/en/US/products/ps6588/products_ios_protocol_group_home.html
and
Service Control Engine:
http://www.cisco.com/en/US/products/ps6150/products_data_sheet0900aecd801d8564.html
But from an Enterprise security and assurance perspective.... anyway watch this space.. I will think about this some more....
Idea I: could an app call the local host TCP implementation ( An addtional API/feature? ) to write a bit to the TCP header similar to TOS/DSCP/Precedence to define the *Confidentiality* or *Useability* of a packet and would it be honored in transit or at the endpoint? Could you just reserve an existing 'Class'? or have you used them all already? Is IPnIP a possibility for 'intelligent packets' or must it be an 'intelligent network'? Does this all go out the window with IPv6 or should we be building more security in to the type of data object with our v6 stacks and be more in synch with our 'shrinking permieters' ?
Idea II: Why not use intentional enterprise 'sinkholes' to achieve TIA ( Total Information Awareness ) on your cores.. and watch everything realtime? Lots of negatives here but bear with me a minute.. more for Enterprise than Telco...
Over-ride the standard default route, or force edge traffic to the regional or local core first... whereupon you can watch and/or look at session data? It would be too hard to change hosts default gateways and not practical/achievable anyway. Why not turn the IDS / Sniffing mentality inside out? Force the traffic to high bandwidth cores for inspection cleaning/recording/scrubbing? Combine it with edge IPFIX/Flows? Cmon' BW is not a problem anymore, only in ASIAPAC ;)
For real life examples ( only from a 'billing' perspective.. ) Cisco's Intelligent Service Solution:
http://www.cisco.com/en/US/products/ps6588/products_ios_protocol_group_home.html
and
Service Control Engine:
http://www.cisco.com/en/US/products/ps6150/products_data_sheet0900aecd801d8564.html
But from an Enterprise security and assurance perspective.... anyway watch this space.. I will think about this some more....
Sunday, March 26, 2006
A Ph.D, product or pet project?
Been thinking lately I would like to continue learning Python by building something other than my Netscreen config parsers ( note: also helping me to get back to OO programming... )
So right now I am still thinking of my distributed gaming / network viz platform ( http://bsdosx.blogspot.com/2005/07/i-wish.html ) that turns close to all supported nodes in to both collectors, engines and viewing platforms. ( Would love to do touch-screen also a la: http://www.youtube.com/watch?v=iVI6xw9Zph8 , but that's Phase 2 :p )
Constituent parts thus far include VTK http://public.kitware.com/VTK/index.php , Twisted python http://twistedmatrix.com/trac/ , and a perhaps an ESM ( End System Multicast ) http://esm.cs.cmu.edu engine for scaling, congestion etc rather than relying upon network based multicast in heterogeneous environments.
Bittorrent to distribute updates, policy and new functionality. DNS as a common C&C ( Command and Control ) channel for a 'Nematoad' ( nematode ) new sub-domain. Maybe use the domain as a test with RFC 1918 IP address space to stay within yor enterprise borders ( Urk, 'cept for extranets and other examples of double/sinlge NAT that may impinge! ). Also maybe use intentional defects in the SOEs to replicate to valid hosts rather than actual exploits.
If anyone is aware of Australian courses offering 'Security Metrics' http://www.securitymetrics.org/ and Network Visualization I would be happy to hear from you!
So right now I am still thinking of my distributed gaming / network viz platform ( http://bsdosx.blogspot.com/2005/07/i-wish.html ) that turns close to all supported nodes in to both collectors, engines and viewing platforms. ( Would love to do touch-screen also a la: http://www.youtube.com/watch?v=iVI6xw9Zph8 , but that's Phase 2 :p )
Constituent parts thus far include VTK http://public.kitware.com/VTK/index.php , Twisted python http://twistedmatrix.com/trac/ , and a perhaps an ESM ( End System Multicast ) http://esm.cs.cmu.edu engine for scaling, congestion etc rather than relying upon network based multicast in heterogeneous environments.
Bittorrent to distribute updates, policy and new functionality. DNS as a common C&C ( Command and Control ) channel for a 'Nematoad' ( nematode ) new sub-domain. Maybe use the domain as a test with RFC 1918 IP address space to stay within yor enterprise borders ( Urk, 'cept for extranets and other examples of double/sinlge NAT that may impinge! ). Also maybe use intentional defects in the SOEs to replicate to valid hosts rather than actual exploits.
If anyone is aware of Australian courses offering 'Security Metrics' http://www.securitymetrics.org/ and Network Visualization I would be happy to hear from you!
Saturday, March 18, 2006
Musings on the ebb and flow of packets....
An interesting perspective from XXXX... negating the fact that he hasn't played with these types of device, a good high level theoretical approach and some definitive weaknesses pointed out.
I guess what interests me and has done for sometime on large national and international networks, is that there is not very much contextualized information around what *is* normal and anomalous ( sometimes no idea at all! ). Also to be able to tie many streams of information together in real time such as netflow, signature based IDS, anomaly detection and CIDR awareness.... helps a great deal. The complexity of today's networks ( hosts/apps/user behaviour too!) is such that the same issues of tuning,false positives and meaningful data are tough, however depending upon the degree of network segmentation, homogeneous platforms.. and the type of business you are in, this can be greatly reduced and more effective. I recently spent some time with a friend from Cisco over a beer or two watching the 80mb DDOS flows to cisco.com and how their Peakflow reported upon it ... some quite interestingly defined thresholds for some other attacks also. They also have a 'clean-pipes' solution... anything to help you stay afloat when millions go through your website each day... admittedly you always need bigger pipes than an attacker but they don't always have to be yours. What really adds value though is in the core...
The PeakFlow SP solution is also interesting and can really help; more so to define traffic and billing ( peering/ratios etc ) and is somewhat BGP aware. It becomes very interesting then in actually knowing what is going on for Tier 1 and Tier 2 transit carriers that are trying to traffic engineer some very interesting issues and bill accordingly. PeakFlow allows for contextualised information and can see both the flows and certain defined BGP attributes, amongst other things and can help to address the issue of time and error in trace back to facilitate targeted sinkholes at the edge... understanding the data and control planes on networks is crucial.
One of the biggest problems we face right now on enterprise networks is the transparency, visibility and auditability challenge. Unfortunately the network *is* more aware and being expected to influence traffic in many new ways... not just to route packets... relating to QOS, triggered changes in routing, complex traffic engineering and more 'application' awareness such as Cisco's NBAR to influence flows etc....
Today, one has to be across every transiting technology and node, including the topology, security and criticality of each conceptual and physical business area. Tools to help alleviate this are good(tm)... and using extrusion detection and flow monitoring helps to identify infected hosts, worm sign, reconnaissance and probing ( internally ) and contributes to the quality and usefulness of empirical data when dealing with incidents. I am not negating inherent host and application issues, but at the end of the day both the hosts, applications and network all play a roll and impose themselves upon each other with different unique characteristics and behavioural signatures... perhaps some day IPv6 and IPSec will allow for close to 100% encryption, but right now we have limited edge use of IPSEC and payload encryption is not so much an issue... data has to be mobile to be useful or destructive, once it moves, it leaves traces... and hopefully one still owns the control channel of ones network. ( Hopefully! )
Boxes that can do good Capacity Management, Flows, basic/light flow based NIDS and are somewhat 'network-aware' ( routing protocol attributes )... such that they can contextualise somewhat the data and control planes of a network... are in my opinion, still immature; but better than anything else out there right now!.... I am waiting to combine such a tool with an onboard routing daemon that can interrogate the enterprise address routing table ( negating certain sloppy summarisation! ) and see what address space is currently 'dark' within private ranges to provide an 'aware' darknet that ebbs and flows as address space usage does.
I guess my point is that the convergence of tools and methodologies to gain insight and awareness in to your network is better than not having such tools, or having them distributed amongst groups and unaware or unable to 'share' or contextualise data. In responding to some major worm outbreaks, un-intentional internal DOS, traffic engineering / billing issues etc etc on some pretty large networks, I would have given the left part of some of my anatomy for such tools / visibility.... there is no silver bullet I'll give you that, but in this arms race the 'Nuclear' Holocaust will do no one any favours -> only provides leverage.... which points back to more subtle cooperative, political and legal ways to address such global threats.... terrorism is alive and well and packets make good suicide bombers!
Donal
I guess what interests me and has done for sometime on large national and international networks, is that there is not very much contextualized information around what *is* normal and anomalous ( sometimes no idea at all! ). Also to be able to tie many streams of information together in real time such as netflow, signature based IDS, anomaly detection and CIDR awareness.... helps a great deal. The complexity of today's networks ( hosts/apps/user behaviour too!) is such that the same issues of tuning,false positives and meaningful data are tough, however depending upon the degree of network segmentation, homogeneous platforms.. and the type of business you are in, this can be greatly reduced and more effective. I recently spent some time with a friend from Cisco over a beer or two watching the 80mb DDOS flows to cisco.com and how their Peakflow reported upon it ... some quite interestingly defined thresholds for some other attacks also. They also have a 'clean-pipes' solution... anything to help you stay afloat when millions go through your website each day... admittedly you always need bigger pipes than an attacker but they don't always have to be yours. What really adds value though is in the core...
The PeakFlow SP solution is also interesting and can really help; more so to define traffic and billing ( peering/ratios etc ) and is somewhat BGP aware. It becomes very interesting then in actually knowing what is going on for Tier 1 and Tier 2 transit carriers that are trying to traffic engineer some very interesting issues and bill accordingly. PeakFlow allows for contextualised information and can see both the flows and certain defined BGP attributes, amongst other things and can help to address the issue of time and error in trace back to facilitate targeted sinkholes at the edge... understanding the data and control planes on networks is crucial.
One of the biggest problems we face right now on enterprise networks is the transparency, visibility and auditability challenge. Unfortunately the network *is* more aware and being expected to influence traffic in many new ways... not just to route packets... relating to QOS, triggered changes in routing, complex traffic engineering and more 'application' awareness such as Cisco's NBAR to influence flows etc....
Today, one has to be across every transiting technology and node, including the topology, security and criticality of each conceptual and physical business area. Tools to help alleviate this are good(tm)... and using extrusion detection and flow monitoring helps to identify infected hosts, worm sign, reconnaissance and probing ( internally ) and contributes to the quality and usefulness of empirical data when dealing with incidents. I am not negating inherent host and application issues, but at the end of the day both the hosts, applications and network all play a roll and impose themselves upon each other with different unique characteristics and behavioural signatures... perhaps some day IPv6 and IPSec will allow for close to 100% encryption, but right now we have limited edge use of IPSEC and payload encryption is not so much an issue... data has to be mobile to be useful or destructive, once it moves, it leaves traces... and hopefully one still owns the control channel of ones network. ( Hopefully! )
Boxes that can do good Capacity Management, Flows, basic/light flow based NIDS and are somewhat 'network-aware' ( routing protocol attributes )... such that they can contextualise somewhat the data and control planes of a network... are in my opinion, still immature; but better than anything else out there right now!.... I am waiting to combine such a tool with an onboard routing daemon that can interrogate the enterprise address routing table ( negating certain sloppy summarisation! ) and see what address space is currently 'dark' within private ranges to provide an 'aware' darknet that ebbs and flows as address space usage does.
I guess my point is that the convergence of tools and methodologies to gain insight and awareness in to your network is better than not having such tools, or having them distributed amongst groups and unaware or unable to 'share' or contextualise data. In responding to some major worm outbreaks, un-intentional internal DOS, traffic engineering / billing issues etc etc on some pretty large networks, I would have given the left part of some of my anatomy for such tools / visibility.... there is no silver bullet I'll give you that, but in this arms race the 'Nuclear' Holocaust will do no one any favours -> only provides leverage.... which points back to more subtle cooperative, political and legal ways to address such global threats.... terrorism is alive and well and packets make good suicide bombers!
Donal
Sunday, September 25, 2005
CIA
Confidentiality, Integrity and Availability...
Sometimes we forget about how exactly to tackle the last one. HA, Load-Balancing, BCP, Geographical Redundancy, Clustering, Primary/Secondary, Active/Active etc etc...
Don't forget 'backups', http://taobackup.com/ ( nice but vendor related! )
Fun http://www.backuptrauma.com/video/default2.aspx?r=1 from John Cleese!
Sometimes we forget about how exactly to tackle the last one. HA, Load-Balancing, BCP, Geographical Redundancy, Clustering, Primary/Secondary, Active/Active etc etc...
Don't forget 'backups', http://taobackup.com/ ( nice but vendor related! )
Fun http://www.backuptrauma.com/video/default2.aspx?r=1 from John Cleese!
Sunday, September 18, 2005
Once more in to the breach....
So I have started to recount this phrase to myself on a Sunday evening ( over a beer.. or two.. ) before stepping once again in to my job on a Monday morning...
I am an 'Information Security' practitioner for a large national mobile Telco and the landscape _is_ always changing... ( though we face the most basic challenges of yesteryear also..)
...out of the trenches and march forward in to the (semi)-unknown! Perhaps someone will allow the 'Red-Cross' in and sing 'Stile Nacht' over Christmas, while we bunker down and play a MMORPG.. however I doubt it as the Internet never sleeps! ( And nor should SecOps! )...
I have been aware of 'Marcus Ranum' for a while but revisted his site recently after a link was sent around for 'The Six Dumbest Ideas in Computer Security'.. http://www.ranum.com/security/computer_security/index.html
I would like to share with you some of the 'nuggets' in this 'Prophet's' site, that not only _pre-date_ but echo most of my sentiments -> if you have been here before:
Aside: I am only a mere mortal vs. this 'security-techno-demi-god' !
Quotes like:
1) Set up the production systems
2) Make them work
3) Test them
4) While true; do
If they are working; Continue; Endif
If they are not working; GOTO 2; Endif
5) Done
( Maybe OpenBSD + layered security + quality userland software.. )
or:
The mainframe programmers of the 70's and 80's used to write of a practice called "Change Control" - in which production systems were managed with care and forethought. During the late 90's the last of the Change Control believers were taken out and shot, and their cubicles were given to the consultants who were there to mark everything up in XML in order to make everything better in some manner nobody understands yet.
maybe the 'calender' based upon the classic 'Motivations' calenders:
http://www.ranum.com/security/computer_security/calendar/index.html
I am an 'Information Security' practitioner for a large national mobile Telco and the landscape _is_ always changing... ( though we face the most basic challenges of yesteryear also..)
...out of the trenches and march forward in to the (semi)-unknown! Perhaps someone will allow the 'Red-Cross' in and sing 'Stile Nacht' over Christmas, while we bunker down and play a MMORPG.. however I doubt it as the Internet never sleeps! ( And nor should SecOps! )...
I have been aware of 'Marcus Ranum' for a while but revisted his site recently after a link was sent around for 'The Six Dumbest Ideas in Computer Security'.. http://www.ranum.com/security/computer_security/index.html
I would like to share with you some of the 'nuggets' in this 'Prophet's' site, that not only _pre-date_ but echo most of my sentiments -> if you have been here before:
Aside: I am only a mere mortal vs. this 'security-techno-demi-god' !
Quotes like:
1) Set up the production systems
2) Make them work
3) Test them
4) While true; do
If they are working; Continue; Endif
If they are not working; GOTO 2; Endif
5) Done
( Maybe OpenBSD + layered security + quality userland software.. )
or:
The mainframe programmers of the 70's and 80's used to write of a practice called "Change Control" - in which production systems were managed with care and forethought. During the late 90's the last of the Change Control believers were taken out and shot, and their cubicles were given to the consultants who were there to mark everything up in XML in order to make everything better in some manner nobody understands yet.
maybe the 'calender' based upon the classic 'Motivations' calenders:
http://www.ranum.com/security/computer_security/calendar/index.html
Saturday, September 17, 2005
BadStreets
My old/new movie is online@ http://www.undergroundfilm.org/films/detail.tcl?wid=1020131
Go check it you!
Go check it you!
Friday, September 09, 2005
Anomaly or progress...
Hmm.. again I love the advances in 'polymorhic worm' behaviour, traffic normalization, IDS, IPS etc etc etc...
But I really think we are missing the fundamental point entirely. My favourite phrase is 'Complexity is the Enemy', especially as it relates to fast paced ever changing environments. 'Change Control' , 'Change Management' or 'Release Management' is great.. but I have never seen it done really effectively. Even in one of the best networking companies in the world, it is still a form of controlled chaos! As best effort / guestimate work is done in identifying host dependencies in downstream networks or similar service dependencies in downstream / upstream applications or code. ( Let alone full appreciation for business and supporting processes... ). Who _are_ these guardians of 'Change Control' who _really_ understand the _Infrastructure_ in all its glorius levels and depths... -----> 'techno-demigods' I think they would be called :)
"Well, that's the security guys / operations manager's role... oh, well then, it's the um administrators or engineering, or implementations guys....", I hear you all say in tandem.... well perhaps, but do they really know what's going on? Who actually did what, when, where and why? And could you really tell what was done and how?
Who are the implementors? Are they insourced, outsourced or was the update or change performed by some 'fly-by-night' technorati....? Relax my friends, it's all ok you uber-geeks, we all know the CIO knows exactly what's happening and is responsible for the whole shebang!
Take for example a business with a large dependency on IT ( any medium to large business, desperate to bring an IT based service or product to market-> think of Microsoft in the early days, some may argue still now...! ) and sprinkle that with a lack of _quality_ in employees' experience, training and a lagging behind the pace of technology... then add a dollop of rapidly trying to use said latest and greatest technology, and has _anyone_ really got a handle on what's going on! Do they have the policies, management support / comprehension and business backing to inherently understand the risks to existing and future services. The risk to the products and current or projected revenue streams is vast while driving the pace at full kilter. Only experience lends itself to an instinctual appreciation of the hidden costs of _rushing_ something out the door without the necessary QA, UAT, SIT.... ( Quality Assurance, User Acceptance Testing, Systems Integration Testing )....
Remember that millions of lines of code are wrapped around all Operating Systems and Applications or Services, whether in supporting the business or tied up in the business' delivery of products and services to its customers... then introduce the standard network users - driving the equivalent of virtual computer tanks and nuclear warheads with no proof of 'licensed to operate' or without the requisite training and experience. Mix this with network and system administrators, developers and database administrators with about as much scientific appreciation of computational logic and determinism ( in so far as _computer-systems_ are deterministic :) as the Incas had in believing in Sun Gods and that engaging in human sacrifice and voodoo like 'hibbidy-gibbidy', would appease said Gods of the time. Add to this a light sprinkling of 'management' who now find themselves in some _key_ technically related role, who have about as much experience with technology as those assembling their first 'Kinder Egg' with similar measures of people management skills, akin if you will to the atypical high school gym 'last pick' ability to inspire confidence, lead a team or score goals.
You are now ready to bake in the binary oven of success or failure, wait 30 minutes at 'Homeland Security' defcon 4 for the inevitable results.
'Baked Alaska' is not something you can get right with beginners luck...
So back the key theme, that with such complexity and general lack of appreciation of said complexity.. it actually needs to be reduced to faciliate some form of control. Most solutions these days actually _increase_ the complexity to try and control the complexity! (which doesn't really work without the correct resourcing, comprehension and mangement!)
Let's take a step back and focus on the basics. Let's cut out the fluff and focus on solid and secure systems and services that allow us to work on the real 'add-value' to the business or customers. Why is it we require an army of incompetents who create their own microcosms of increased complexity, entropy and cost, when computers are supposed to save us time so we can get on with what we're actually really good at?
But I really think we are missing the fundamental point entirely. My favourite phrase is 'Complexity is the Enemy', especially as it relates to fast paced ever changing environments. 'Change Control' , 'Change Management' or 'Release Management' is great.. but I have never seen it done really effectively. Even in one of the best networking companies in the world, it is still a form of controlled chaos! As best effort / guestimate work is done in identifying host dependencies in downstream networks or similar service dependencies in downstream / upstream applications or code. ( Let alone full appreciation for business and supporting processes... ). Who _are_ these guardians of 'Change Control' who _really_ understand the _Infrastructure_ in all its glorius levels and depths... -----> 'techno-demigods' I think they would be called :)
"Well, that's the security guys / operations manager's role... oh, well then, it's the um administrators or engineering, or implementations guys....", I hear you all say in tandem.... well perhaps, but do they really know what's going on? Who actually did what, when, where and why? And could you really tell what was done and how?
Who are the implementors? Are they insourced, outsourced or was the update or change performed by some 'fly-by-night' technorati....? Relax my friends, it's all ok you uber-geeks, we all know the CIO knows exactly what's happening and is responsible for the whole shebang!
Take for example a business with a large dependency on IT ( any medium to large business, desperate to bring an IT based service or product to market
Remember that millions of lines of code are wrapped around all Operating Systems and Applications or Services, whether in supporting the business or tied up in the business' delivery of products and services to its customers... then introduce the standard network users - driving the equivalent of virtual computer tanks and nuclear warheads with no proof of 'licensed to operate' or without the requisite training and experience. Mix this with network and system administrators, developers and database administrators with about as much scientific appreciation of computational logic and determinism ( in so far as _computer-systems_ are deterministic :) as the Incas had in believing in Sun Gods and that engaging in human sacrifice and voodoo like 'hibbidy-gibbidy', would appease said Gods of the time. Add to this a light sprinkling of 'management' who now find themselves in some _key_ technically related role, who have about as much experience with technology as those assembling their first 'Kinder Egg' with similar measures of people management skills, akin if you will to the atypical high school gym 'last pick' ability to inspire confidence, lead a team or score goals.
You are now ready to bake in the binary oven of success or failure, wait 30 minutes at 'Homeland Security' defcon 4 for the inevitable results.
'Baked Alaska' is not something you can get right with beginners luck...
So back the key theme, that with such complexity and general lack of appreciation of said complexity.. it actually needs to be reduced to faciliate some form of control. Most solutions these days actually _increase_ the complexity to try and control the complexity! (which doesn't really work without the correct resourcing, comprehension and mangement!)
Let's take a step back and focus on the basics. Let's cut out the fluff and focus on solid and secure systems and services that allow us to work on the real 'add-value' to the business or customers. Why is it we require an army of incompetents who create their own microcosms of increased complexity, entropy and cost, when computers are supposed to save us time so we can get on with what we're actually really good at?
Wednesday, August 31, 2005
Sunday, August 21, 2005
S.O.E. ( Standard Operating Environment )
Well, even if you use NetFlow on routers / switches why not include something like Argus [ http://www.qosient.com/argus/index.htm ] in all your standard host builds limited to its own slice / filesystem ( or implement some log rotation.. ) so the system or host itself builds a historical log of network relationships for troubleshooting, forensics etc etc
Sunday, August 07, 2005
How do we know about History? What are we doing wrong today....
Hmmmm.. simple premise.... we only uncovered much of what we know today about previous civilisations due to the mark they made upon the world, whether the information was intentionally created for recording purposes or that which was an unintentional byproduct of something else they did / used or created.
Here, the concepts of the intentional lifetime of data and the medium of storage chosen are of utmost importance. ( additionally data format / language and physical / logical interface to the data are of concern )
Some remnants of a society such as architecture may be considered a byproduct, however many buildings such as the pyramids of Egypt and South America were built to last the ages and were intended to be a legacy of the then rulers or of the civilisation itself. Funny that in the current modern era, we have sprawling metropolis' of concrete and steel which will in theory also last the test of time, but we don't in essence continue to write or record anything on mediums with similar longevity. Cave paintings and vellum scrolls when in the right conditions can last for thousands of years and convey stories and records of life as it was, and lessons for future generations whether intentional or not. Imagine if you will if the Rosetta Stone was written on a sheet of modern paper, saved on a harddrive in a proprietary format or burnt to a CD-R or DVD...... how long would it last, and what would future generations lose out on or be deprived of?
Maybe you are starting to see my point? We have seen amazing advances in the current and last century, mainly attributable to the rapid increase and spread of information. Cumulative knowledge allows for rapid progress. More raw human processing power, if you will, all connected and digesting reams of information, making inferences, connections, theories, statistical observations and basically learning, refining and increasing the sum knowlege of all humankind. Hopefully making things better and not worse!
Now imagine .... we destroy ourselves in a nuclear holocaust accompanied by a huge EM pulse ( electromagnetic pulse ) that wipes out most, but not all of the digital data on the planet. The end of the current global age of the internet and digital data. We need to start from scratch but most of the engineers and basic information for building complex circuits and the means to access any of the remaining survivable information is gone to us? Operating systems, source code and close to all raw data would be gone.
One could well ask if it ever did then actually exist? How much are we missing from that which was daily life for the Egyptians, Greeks, Romans, Incas etc etc... From what we have found thus far.. e.g ruins, artifacts, personal effects, architecture, farming and certain amounts of business and governmental records of the time - we build a picture of the politics, philosophy, medicine, science, mathamatics, law, ethics etc of these people's lives and overall civilisations....
Many of these civilisations either fell, mutated, diverged or imploded.... again imagine if you will the sum of all human knowledge available to us should we have had a cumulative repository over the past few thousand years... maybe we would be more advanced or maybe we would have wiped ourselves out properly, once and for all!!!!
We are creating and learning at a pace never seen before in human history ( well to the best of our current knowledge based upon what we have found.... how would we really know unless they wrote it down or *all* the information and records had survived? ) what happens when our civilisation comes to an abrupt or bitter end?
Should we be doing more to ensure the information we create and learn about ourselves, our civilisation and our environment is given the intrinsic longevity it deserves.. if not for our children, for future races of humans, for the historians, researchers, teachers and perhaps those that once again one day try to rebuild society out of the dark ages?
Aside: This question also begs an answer to the issue of complexity in many of our sciences and systems and how we represent them. Ask yourself if it would be easy to rebuild, reproduce or look at a current high level system, grasp the underlying concepts and reproduce the outcomes. These systems I speak of could be anything from computer systems, to law systems to social systems. We are building a house of cards with no thought for my favourite question, not "Why" but "What if?".....
Aside II: Do we really actually care about the "What if?" or would it stifle our creativity and the speed of advancements if we were to spend more time ensuring the integrity and longevity of our cumulative knowledge? Why are we rushing so far and fast ahead in to the unknown, we'll still get there eventually... it will still be unknown a week from next Tuesday! Maybe it's time to slow down and take a timeout, have a 'kit-kat' and then take a really good long hard look at what we as a race are really doing and trying to achieve... Also is it sustainable and recreatable should we break it? The wonderful concept not of "How well does it work?", but "How well does it break?" comes to mind...
Right now I see a huge risk to society at large.
"How we represent, store, archive and share digital information. "
I believe the sum of all human knowledge is in danger... let's at least start by ensuring we could start from scratch again. ( or someone or something else could.. what would an alien archaelogist make of all this should they visit earth after we have reduced ourselves to another pre-industrial age again? "Bloody amateurs!" )... oh and here's an interesting byproduct.... maybe a new paradigm would create a template for human learning that creates a code or method for how to educate children so they do not need to spend X times as long comprehending a mish-mash of overlapping disciplines by starting from scratch each time they enter a new field of study. Some may agrue that that is the role language fulfils, a symbolic representation of ideas and concepts to allow them to be expressed and communicated.
There is no handbook for parents, there is no common teaching system other than repetetively hammering information in to childrens skulls. The advances we could make as a race if we harnassed and guided the abstract thought processes of children. ( possible focus "edutainment" )
Libraries and museums perhaps need a bit of a rethink and some real funding?
If we want to build a new society the 'Tipping Point' will start with the children.
If we want to 'keep' and progress our society we need to focus on 'keeping' the cumulative information safe and healthy.
If we want to advance our society we need to eliminate fear, greed and inequality.
Hmmm... rant over.. time to watch the Simpsons....
Some fun links to projects / papers:
Information Longevity http://sunsite.berkeley.edu/Longevity/
NARA National Archives and Records Administration ( American, http://www.archives.gov/ ) ERA ( Electronics Records Archive ) http://www.archives.gov/era/index.html
OSTA Optical Storage Technology Association ( http://www.osta.org/ )
Here, the concepts of the intentional lifetime of data and the medium of storage chosen are of utmost importance. ( additionally data format / language and physical / logical interface to the data are of concern )
Some remnants of a society such as architecture may be considered a byproduct, however many buildings such as the pyramids of Egypt and South America were built to last the ages and were intended to be a legacy of the then rulers or of the civilisation itself. Funny that in the current modern era, we have sprawling metropolis' of concrete and steel which will in theory also last the test of time, but we don't in essence continue to write or record anything on mediums with similar longevity. Cave paintings and vellum scrolls when in the right conditions can last for thousands of years and convey stories and records of life as it was, and lessons for future generations whether intentional or not. Imagine if you will if the Rosetta Stone was written on a sheet of modern paper, saved on a harddrive in a proprietary format or burnt to a CD-R or DVD...... how long would it last, and what would future generations lose out on or be deprived of?
Maybe you are starting to see my point? We have seen amazing advances in the current and last century, mainly attributable to the rapid increase and spread of information. Cumulative knowledge allows for rapid progress. More raw human processing power, if you will, all connected and digesting reams of information, making inferences, connections, theories, statistical observations and basically learning, refining and increasing the sum knowlege of all humankind. Hopefully making things better and not worse!
Now imagine .... we destroy ourselves in a nuclear holocaust accompanied by a huge EM pulse ( electromagnetic pulse ) that wipes out most, but not all of the digital data on the planet. The end of the current global age of the internet and digital data. We need to start from scratch but most of the engineers and basic information for building complex circuits and the means to access any of the remaining survivable information is gone to us? Operating systems, source code and close to all raw data would be gone.
One could well ask if it ever did then actually exist? How much are we missing from that which was daily life for the Egyptians, Greeks, Romans, Incas etc etc... From what we have found thus far.. e.g ruins, artifacts, personal effects, architecture, farming and certain amounts of business and governmental records of the time - we build a picture of the politics, philosophy, medicine, science, mathamatics, law, ethics etc of these people's lives and overall civilisations....
Many of these civilisations either fell, mutated, diverged or imploded.... again imagine if you will the sum of all human knowledge available to us should we have had a cumulative repository over the past few thousand years... maybe we would be more advanced or maybe we would have wiped ourselves out properly, once and for all!!!!
We are creating and learning at a pace never seen before in human history ( well to the best of our current knowledge based upon what we have found.... how would we really know unless they wrote it down or *all* the information and records had survived? ) what happens when our civilisation comes to an abrupt or bitter end?
Should we be doing more to ensure the information we create and learn about ourselves, our civilisation and our environment is given the intrinsic longevity it deserves.. if not for our children, for future races of humans, for the historians, researchers, teachers and perhaps those that once again one day try to rebuild society out of the dark ages?
Aside: This question also begs an answer to the issue of complexity in many of our sciences and systems and how we represent them. Ask yourself if it would be easy to rebuild, reproduce or look at a current high level system, grasp the underlying concepts and reproduce the outcomes. These systems I speak of could be anything from computer systems, to law systems to social systems. We are building a house of cards with no thought for my favourite question, not "Why" but "What if?".....
Aside II: Do we really actually care about the "What if?" or would it stifle our creativity and the speed of advancements if we were to spend more time ensuring the integrity and longevity of our cumulative knowledge? Why are we rushing so far and fast ahead in to the unknown, we'll still get there eventually... it will still be unknown a week from next Tuesday! Maybe it's time to slow down and take a timeout, have a 'kit-kat' and then take a really good long hard look at what we as a race are really doing and trying to achieve... Also is it sustainable and recreatable should we break it? The wonderful concept not of "How well does it work?", but "How well does it break?" comes to mind...
Right now I see a huge risk to society at large.
"How we represent, store, archive and share digital information. "
I believe the sum of all human knowledge is in danger... let's at least start by ensuring we could start from scratch again. ( or someone or something else could.. what would an alien archaelogist make of all this should they visit earth after we have reduced ourselves to another pre-industrial age again? "Bloody amateurs!" )... oh and here's an interesting byproduct.... maybe a new paradigm would create a template for human learning that creates a code or method for how to educate children so they do not need to spend X times as long comprehending a mish-mash of overlapping disciplines by starting from scratch each time they enter a new field of study. Some may agrue that that is the role language fulfils, a symbolic representation of ideas and concepts to allow them to be expressed and communicated.
There is no handbook for parents, there is no common teaching system other than repetetively hammering information in to childrens skulls. The advances we could make as a race if we harnassed and guided the abstract thought processes of children. ( possible focus "edutainment" )
Libraries and museums perhaps need a bit of a rethink and some real funding?
If we want to build a new society the 'Tipping Point' will start with the children.
If we want to 'keep' and progress our society we need to focus on 'keeping' the cumulative information safe and healthy.
If we want to advance our society we need to eliminate fear, greed and inequality.
Hmmm... rant over.. time to watch the Simpsons....
Some fun links to projects / papers:
Information Longevity http://sunsite.berkeley.edu/Longevity/
NARA National Archives and Records Administration ( American, http://www.archives.gov/ ) ERA ( Electronics Records Archive ) http://www.archives.gov/era/index.html
OSTA Optical Storage Technology Association ( http://www.osta.org/ )
Sunday, July 31, 2005
Meta-info... coz' my time is short...
Great aggregated blog @ Planet Security 
http://www.dayioglu.net/planet/ for all things Information Security.
And another @ InfosecDaily http://infosecdaily.net/securitynews/ .... and.. TaoSecurity http://taosecurity.blogspot.com/
Here's a fun WormBlog @ http://www.wormblog.com/ and here's a similar one from F-Secure http://www.f-secure.com/weblog/
Microsoft Response Center Blog http://blogs.technet.com/msrc/
Microsoft Security Wiki http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.HomePage
All I need to do now is get my new team membership in First .... I miss my First list with my coffee in the mornings!
http://www.dayioglu.net/planet/ for all things Information Security.And another @ InfosecDaily http://infosecdaily.net/securitynews/ .... and.. TaoSecurity http://taosecurity.blogspot.com/
Here's a fun WormBlog @ http://www.wormblog.com/ and here's a similar one from F-Secure http://www.f-secure.com/weblog/
Microsoft Response Center Blog http://blogs.technet.com/msrc/
Microsoft Security Wiki http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.HomePage
All I need to do now is get my new team membership in First .... I miss my First list with my coffee in the mornings!
Saturday, July 30, 2005
I wish.....
The network _is_ the computer....
I have really good spatial comprehension, and am mostly a visual person. This is how I think. Currently careerwise I am an Information Security practitioner and Network Engineer. I like building, fixing and securing / protecting things. ( Substitute paternal instinct as I have no kids? )
Anyway, I digress.... as you move from job to job you tend to build up your stash of happy tools, resources, methods etc etc... _however_ when arriving in a large organisation it is very hard to get a handle on what's going on and build a map in your head of the network and nodes that contain information you are supposed to be securing / defending / protecting.....( especially if that company's documentation is bad, non-existant or they have never used any visualisation tools or mapped / diagrammed anything! ) Also, sometimes the company can be in a high growth phase, where things change daily or weekly - and we all know that devices are not always built, deployed, alarmed or documented properly..
For quite sometime I have been formulating an idea on how to get a handle on this .. it also applies to the actual NOC / SOC [ Security Operations Center ] guys too and how they view their operating world.... these days we need to know what's going on second by second, not day by day, or week by week.. internet time is just too fast, and so are the releases of worms following proof of concept code, 0 day exploits, or reverse engineered vendor patches.
Complexity is also the enemy - however that beast is getting larger not smaller ( as node numbers, services and depth of code / processes on hosts increases.. ) which I believe leads to the true gap right now; the ability [or inability] of us mere mortals to ingest, comprehend, correlate and appreciate changes / incidents and outages _properly_, including the ability to take the decisive actions to mitigate, fix or even just improve the situation. Inherent in this model is the ultimate accountability or responsibility for the decisions made in mitigating or remediating said issues. This is where supposed 'silver bullets' like intelligent IPS's, intelligent networks, sandboxing policies will invariably always fail. Too many overheads. Configuration needs to be done before the fact, and this administration can be forgotten / overlooked or just ignored. We still need to create the rules, tune the IDS, define the actions for them to take and then still no one I know in the industry will let a system issue of it's own accord an ACL [ Access Control List ] change, TCP reset or blackhole / sinkhole routing to /dev/null, Null0 or a 'scrubber' of sorts. They are too worried about customers and mission critical platforms, and rightly so? A.I. is still rule based / heuristic and often incomplete, as humans still need to re-write or tweak the frameworks, sample spaces to achieve the desired results. Neural networks still rely on 'us' humans for their playing fields.
I don't believe machines will ever be able to do real-time business risk modelling by drawing the correct inferences at the right times, this is still a skill humans are better at. When associating patterns, schedules and dependencies from informtaion we are presented with, what's fundamental is the type, quality, amount and correctness of the data presented to the human operator. Most humans are visual creatures, even the blind who build connections and patterns in their minds....
Aside: ( one of the best Cisco Routing and Switching CCIE's in the TAC [ Technical Assistance Centre ] they had in Brussels, Belgium was actually blind and supported large complex enterprises remotely on the phone! )
For now though, let's think about having the right information, easily represented and at the right time. Take a peak at the OODA loop ( in previous post below ) and the concept of a CERT or CSIRT, if you are not familiar with them. ( I am bundling the NOC / SOC and concept of a CERT in to the same teams / functions here... )
The pitch: A near-realtime 3D network map, seperating out a rough OSI / ISO 7 layer model into 2D connected visualisation planes that can be manipulated in real-time possibly with a touch screen. ( Alternatively and probably more pragmatic would be that of the 5 layer TCP/IP Sun/DOD model ) Other features would include nodes giving off visual alarms when there are issues and when thresholds are reached. Screens could be split to render multiple parts of the network simultaneously. Employees / clients could access standard templates / defined sub-maps remotely. These clients may be run on normal users or operators desktops, with the realtime rendering done on the client. Clients may have different roles as it relates to the network and get seperate streams overlayed to their maps. ( Traps, Anti-Virus, IDS, Flows with filters, syslog alerts.... )
DBA's see overlaid maps of JDBC, ODBC, SQLNet etc
Network Operators see ICMP, SNMP, SSH, SCP, TFTP, RCP, RSH, Telnet, Syslog etc..
Security can see everything but pick known 'bad' ports or recent outbreaks that use certain ports?
Content guys can see their product moving around...
Web guys can see their piece of the pie etc etc etc
Note: Suddenly at any point in time, all your observers become your distributed operations and network monitors!!! An Open Source model to keep the _network_ smooth and efficient...
Client / Server architecture similar in a sense to that of a MMORPG's methods of passing state and object information in a highly compressed format whereby the rendering engine primarily uses the client-side resources. Included may be the concept of Multicast or Peer-to-Peer to distribute information reducing bandwidth consumption. As with the gaming model, administrators may change information in realtime or influence the network also in realtime. Operators could push, only clients could pull. As this mapping would be graph based, holding state information and inter node relationship information ( think link-state / hybrid routing protocols ) each client would have a world view but _build_ his or her own "routing table" or view of the world as a normal router would ( including endpoints too though..! ) and then receive _state_ changes, which, in the message passing syntax would be anything from a threshold alert to a node state change, to a change in the graphical representation of a node in relation to some pre-defined event etc...
So to 're-cap' the 'network game server' as we'll call it handles most of the topology information, message scrubbing and over-all admin rights. ( Think of it as a shiny front end MOM / NMS / Event Correlation engine that understands flows... ) Clients, be they desktop users, network administrators, remote NOC teleworkers or customers who wish to see their relevent part of the network or hosts are performing from a network perspective, all get to see what's going on when, where and _hopefully_ in a distributed environment _we_ can get to the ever more elusive why in a reduced amount of time?
Transparency drives growth, change and improvement.
As information and events are all realtime and streamed in somewhat of a pipeline ( including flows ) it should be possible to ( with accurate network wide NTP ) perform limited tracebacks of incidents, albeit the event must be recognised or pre-defined in some form. This is where baselining and normalisation is exteremely important. SourceFire are doing pretty well in this regard it seems with RNA...
Sounds futuristic? Maybe it's out there already?
Perhaps, but most of my previous posts, in theory, contain close to the correct tools to do this ( well nearly anyway ).... the closest I have seen in operation thus far is a good independent 2D map built by QualysGuards Vulnerability Assessment tool, and OpNet's SPGuru ( perhaps their new 3DNV product? ) that feeds itself from existing NMS's and MOM's like CiscoWorks Information Centre, HP Openview etc..
a) get all related SNMP read strings for routers, switches and firewalls ( if you so do...)
b) ensure your platform has full ACL rights for the above
c) ensure your platform has full port connectivity through firewalls etc to achieve connectivity... ICMP/TCP/UDP
d) allow your platform to fingerprint hosts and nodes and make it an iterative behaviour...
e) allow your object orientated mapping engine to attribute status to graph leaves in real-time as it's rendered
f) have a concept of trending / difference
g) allow your platform to parse routing tables and understand topology ( Hmmmm, stateful or stateless mapping.. guess it needs to build consistent view rather than rebuild each-time to reduce overheads... as with gaming, build the world.. then interpret changes? )
h) perhaps overlay NetFlow (tm) information for close to real-time ( 5min+- ) traffic overlays.. top talkers etc. ( NetFlow(tm) is not realtime but exported in time intervals to collectors where it can be aggregated..
i) perhaps use this engine to allow you to do a form of touchscreen IPS ( Intrusions Prevention System ) on your whole network, thus the final realtime responsibility lies with the Network Operators?
j) X3D http://www.web3d.org/ as a framework instead of the supposedly outdated VRML ?
k) you would possibly need a fast rendering game engine to achieve basic visualisation depending on network size and complexity if not using X3D / VRML.
l) could feed and help with Capacity Management ? RMON + real-time fault-tracking ( ICMP sweeps / SNMP traps )?
Just a thought, but it's kinda where I see the defensive perimieter paradigm being turned inside out as it relates to Information Security with the keywords _realtime_ _complexity_ _perimeter_ _defense_ _ips_... imagine also if the host OS or NOS could tag confidential enterprise information and insert this boolean based tag in the TCP header somewhere ( DSCP / TOS -> QOS-> Public || Confidential ) and then NetFlow also had a header that could see and report on this... you could then see when the information was walking out the network door? This is hugely simplified from the host, file and application context I know.. but it's a thought as it would need to be a standard and built in to document formats. Users could then turn it off perhaps... maybe it could be enforced at a polcy level, but most host based agents don't run on all platforms or would be supported etc alas engineers will always want to run their own OS.... or have root privileges anyway.
This of course does not take in to account making copies on to removable media.. that's another issue... but it would be a start... probably impinging on DRM [Digital Rights Management] but not *really* as it's targeted for a corporate environment only.. and it would be a label / watermark.. not an endpoint restriction.. ( though it could be, I am mainly referring to the network gateways / edge though... ! ) but it lends itself to being auditable and the concept of the "Shrinking Perimeter" being popularised by Dan Geer http://www.verdasys.com/site/content/whitepapers.html
Most of the time companies drop keyword searches for the term "company confidential", or take a copy of encrypted emails for future use. This does not address dns, http, ftp etc... ftp access is not always granted, but http(s) is, either through proxies or direct. Maybe we should give up and not try to control the data leaving the network.. just audit it and focus on employee visibility and compliance? At what point does the complexity, entropy and technology allowing access to information really become manageable, controllable and auditable by humans anyway?
I have really good spatial comprehension, and am mostly a visual person. This is how I think. Currently careerwise I am an Information Security practitioner and Network Engineer. I like building, fixing and securing / protecting things. ( Substitute paternal instinct as I have no kids? )
Anyway, I digress.... as you move from job to job you tend to build up your stash of happy tools, resources, methods etc etc... _however_ when arriving in a large organisation it is very hard to get a handle on what's going on and build a map in your head of the network and nodes that contain information you are supposed to be securing / defending / protecting.....( especially if that company's documentation is bad, non-existant or they have never used any visualisation tools or mapped / diagrammed anything! ) Also, sometimes the company can be in a high growth phase, where things change daily or weekly - and we all know that devices are not always built, deployed, alarmed or documented properly..
For quite sometime I have been formulating an idea on how to get a handle on this .. it also applies to the actual NOC / SOC [ Security Operations Center ] guys too and how they view their operating world.... these days we need to know what's going on second by second, not day by day, or week by week.. internet time is just too fast, and so are the releases of worms following proof of concept code, 0 day exploits, or reverse engineered vendor patches.
Complexity is also the enemy - however that beast is getting larger not smaller ( as node numbers, services and depth of code / processes on hosts increases.. ) which I believe leads to the true gap right now; the ability [or inability] of us mere mortals to ingest, comprehend, correlate and appreciate changes / incidents and outages _properly_, including the ability to take the decisive actions to mitigate, fix or even just improve the situation. Inherent in this model is the ultimate accountability or responsibility for the decisions made in mitigating or remediating said issues. This is where supposed 'silver bullets' like intelligent IPS's, intelligent networks, sandboxing policies will invariably always fail. Too many overheads. Configuration needs to be done before the fact, and this administration can be forgotten / overlooked or just ignored. We still need to create the rules, tune the IDS, define the actions for them to take and then still no one I know in the industry will let a system issue of it's own accord an ACL [ Access Control List ] change, TCP reset or blackhole / sinkhole routing to /dev/null, Null0 or a 'scrubber' of sorts. They are too worried about customers and mission critical platforms, and rightly so? A.I. is still rule based / heuristic and often incomplete, as humans still need to re-write or tweak the frameworks, sample spaces to achieve the desired results. Neural networks still rely on 'us' humans for their playing fields.
I don't believe machines will ever be able to do real-time business risk modelling by drawing the correct inferences at the right times, this is still a skill humans are better at. When associating patterns, schedules and dependencies from informtaion we are presented with, what's fundamental is the type, quality, amount and correctness of the data presented to the human operator. Most humans are visual creatures, even the blind who build connections and patterns in their minds....
Aside: ( one of the best Cisco Routing and Switching CCIE's in the TAC [ Technical Assistance Centre ] they had in Brussels, Belgium was actually blind and supported large complex enterprises remotely on the phone! )
For now though, let's think about having the right information, easily represented and at the right time. Take a peak at the OODA loop ( in previous post below ) and the concept of a CERT or CSIRT, if you are not familiar with them. ( I am bundling the NOC / SOC and concept of a CERT in to the same teams / functions here... )
The pitch: A near-realtime 3D network map, seperating out a rough OSI / ISO 7 layer model into 2D connected visualisation planes that can be manipulated in real-time possibly with a touch screen. ( Alternatively and probably more pragmatic would be that of the 5 layer TCP/IP Sun/DOD model ) Other features would include nodes giving off visual alarms when there are issues and when thresholds are reached. Screens could be split to render multiple parts of the network simultaneously. Employees / clients could access standard templates / defined sub-maps remotely. These clients may be run on normal users or operators desktops, with the realtime rendering done on the client. Clients may have different roles as it relates to the network and get seperate streams overlayed to their maps. ( Traps, Anti-Virus, IDS, Flows with filters, syslog alerts.... )
DBA's see overlaid maps of JDBC, ODBC, SQLNet etc
Network Operators see ICMP, SNMP, SSH, SCP, TFTP, RCP, RSH, Telnet, Syslog etc..
Security can see everything but pick known 'bad' ports or recent outbreaks that use certain ports?
Content guys can see their product moving around...
Web guys can see their piece of the pie etc etc etc
Note: Suddenly at any point in time, all your observers become your distributed operations and network monitors!!! An Open Source model to keep the _network_ smooth and efficient...
Client / Server architecture similar in a sense to that of a MMORPG's methods of passing state and object information in a highly compressed format whereby the rendering engine primarily uses the client-side resources. Included may be the concept of Multicast or Peer-to-Peer to distribute information reducing bandwidth consumption. As with the gaming model, administrators may change information in realtime or influence the network also in realtime. Operators could push, only clients could pull. As this mapping would be graph based, holding state information and inter node relationship information ( think link-state / hybrid routing protocols ) each client would have a world view but _build_ his or her own "routing table" or view of the world as a normal router would ( including endpoints too though..! ) and then receive _state_ changes, which, in the message passing syntax would be anything from a threshold alert to a node state change, to a change in the graphical representation of a node in relation to some pre-defined event etc...
So to 're-cap' the 'network game server' as we'll call it handles most of the topology information, message scrubbing and over-all admin rights. ( Think of it as a shiny front end MOM / NMS / Event Correlation engine that understands flows... ) Clients, be they desktop users, network administrators, remote NOC teleworkers or customers who wish to see their relevent part of the network or hosts are performing from a network perspective, all get to see what's going on when, where and _hopefully_ in a distributed environment _we_ can get to the ever more elusive why in a reduced amount of time?
Transparency drives growth, change and improvement.
As information and events are all realtime and streamed in somewhat of a pipeline ( including flows ) it should be possible to ( with accurate network wide NTP ) perform limited tracebacks of incidents, albeit the event must be recognised or pre-defined in some form. This is where baselining and normalisation is exteremely important. SourceFire are doing pretty well in this regard it seems with RNA...
Sounds futuristic? Maybe it's out there already?
Perhaps, but most of my previous posts, in theory, contain close to the correct tools to do this ( well nearly anyway ).... the closest I have seen in operation thus far is a good independent 2D map built by QualysGuards Vulnerability Assessment tool, and OpNet's SPGuru ( perhaps their new 3DNV product? ) that feeds itself from existing NMS's and MOM's like CiscoWorks Information Centre, HP Openview etc..
a) get all related SNMP read strings for routers, switches and firewalls ( if you so do...)
b) ensure your platform has full ACL rights for the above
c) ensure your platform has full port connectivity through firewalls etc to achieve connectivity... ICMP/TCP/UDP
d) allow your platform to fingerprint hosts and nodes and make it an iterative behaviour...
e) allow your object orientated mapping engine to attribute status to graph leaves in real-time as it's rendered
f) have a concept of trending / difference
g) allow your platform to parse routing tables and understand topology ( Hmmmm, stateful or stateless mapping.. guess it needs to build consistent view rather than rebuild each-time to reduce overheads... as with gaming, build the world.. then interpret changes? )
h) perhaps overlay NetFlow (tm) information for close to real-time ( 5min+- ) traffic overlays.. top talkers etc. ( NetFlow(tm) is not realtime but exported in time intervals to collectors where it can be aggregated..
i) perhaps use this engine to allow you to do a form of touchscreen IPS ( Intrusions Prevention System ) on your whole network, thus the final realtime responsibility lies with the Network Operators?
j) X3D http://www.web3d.org/ as a framework instead of the supposedly outdated VRML ?
k) you would possibly need a fast rendering game engine to achieve basic visualisation depending on network size and complexity if not using X3D / VRML.
l) could feed and help with Capacity Management ? RMON + real-time fault-tracking ( ICMP sweeps / SNMP traps )?
Just a thought, but it's kinda where I see the defensive perimieter paradigm being turned inside out as it relates to Information Security with the keywords _realtime_ _complexity_ _perimeter_ _defense_ _ips_... imagine also if the host OS or NOS could tag confidential enterprise information and insert this boolean based tag in the TCP header somewhere ( DSCP / TOS -> QOS-> Public || Confidential ) and then NetFlow also had a header that could see and report on this... you could then see when the information was walking out the network door? This is hugely simplified from the host, file and application context I know.. but it's a thought as it would need to be a standard and built in to document formats. Users could then turn it off perhaps... maybe it could be enforced at a polcy level, but most host based agents don't run on all platforms or would be supported etc alas engineers will always want to run their own OS.... or have root privileges anyway.
This of course does not take in to account making copies on to removable media.. that's another issue... but it would be a start... probably impinging on DRM [Digital Rights Management] but not *really* as it's targeted for a corporate environment only.. and it would be a label / watermark.. not an endpoint restriction.. ( though it could be, I am mainly referring to the network gateways / edge though... ! ) but it lends itself to being auditable and the concept of the "Shrinking Perimeter" being popularised by Dan Geer http://www.verdasys.com/site/content/whitepapers.html
Most of the time companies drop keyword searches for the term "company confidential", or take a copy of encrypted emails for future use. This does not address dns, http, ftp etc... ftp access is not always granted, but http(s) is, either through proxies or direct. Maybe we should give up and not try to control the data leaving the network.. just audit it and focus on employee visibility and compliance? At what point does the complexity, entropy and technology allowing access to information really become manageable, controllable and auditable by humans anyway?
Work and Personal
So I'd like to address 2 topics and what's going on with me right now, both somewhat technologically impacted ( and then of course some interesting links etc.. ):
Personal:
I am having great fun right now with a mixture of PodCasting and the content @ Zencast.org . Free Buddhist classes for the masses, who said Podcasting wouldn't catch on. Today I sat in the sun on Manly beach for 2 hours learning and meditating :)
Work:
With no IT Security Strategy, comprehensive policy, budget, resources and incorrect internal reporting chains.... an outsource trying to drive the clients Information Security Policy and Information Security Management System; the emphasis has to be on initially enumerating information assets and classifying them as part of the companies risk profile / attack surface before engaging in anything else. This unfortunately means, in the absence of any current snapshot of information / physical assets or full knowledge of business processes, an independent audit is needed to achieve a baseline.. with subsequent scans / audits building upon this... with special focus paid to the ousourcing interface and contractual obligations on all parties. ( ...including the other outsourced services / interfaces from other companies / organisations.. )
It also denotes the need for a base level strategy and methodology. The most effective framework in information security right now is a subset of the Parkerian Hexad http://www.answers.com/Parkerian%20Hexad ( C.I.A. / Confideniality, Integrity and Availability ) ratings and also the OODA loop http://www.answers.com/ooda%20loop developed by John Boyd for gathering Intelligence and then Execution in Information Warfare.
General News:
I'd also like to mention a recently given speech at Blackhat by Michael Lynn an ex-ISS security researcher because many see it as a huge threat.... basically apart from the DNS root servers, everyone seems to forget about the routers(tm), as with Cisco's monopoly running IOS on most backbone infrastructure, why own 1000's of hosts.. when you can own the network? Ask yourself what else is ubiquitous... remember the SNMP issues and what about BGP or goofin' with the common implementations of the TCP/IP stack out there?
Some really cool people I admire in the Industry ( you gotta be known when you're in Wikipedia/Answers.com? ):
Rob Thomas http://www.cymru.com/
Dan Kaminsky http://www.doxpara.com/
Dan Geer http://www.answers.com/topic/dan-geer
Bruce Schneier http://www.answers.com/bruce%20schneier
Paul Graham http://www.answers.com/Paul%20graham
Some cool Penetration Testing / Information Security Consulting companies:
Security-Assessment http://www.security-assessment.com/
Corsaire http://www.corsaire.com/
NGS http://www.ngssoftware.com/
Information Security Testing Methodologies:
OSSTMM http://www.isecom.org/osstmm/
OWASP http://www.owasp.org/index.jsp
Back to the concept of network visualisation and graphing I have updated:
Personal:
I am having great fun right now with a mixture of PodCasting and the content @ Zencast.org . Free Buddhist classes for the masses, who said Podcasting wouldn't catch on. Today I sat in the sun on Manly beach for 2 hours learning and meditating :)
Work:
With no IT Security Strategy, comprehensive policy, budget, resources and incorrect internal reporting chains.... an outsource trying to drive the clients Information Security Policy and Information Security Management System; the emphasis has to be on initially enumerating information assets and classifying them as part of the companies risk profile / attack surface before engaging in anything else. This unfortunately means, in the absence of any current snapshot of information / physical assets or full knowledge of business processes, an independent audit is needed to achieve a baseline.. with subsequent scans / audits building upon this... with special focus paid to the ousourcing interface and contractual obligations on all parties. ( ...including the other outsourced services / interfaces from other companies / organisations.. )
It also denotes the need for a base level strategy and methodology. The most effective framework in information security right now is a subset of the Parkerian Hexad http://www.answers.com/Parkerian%20Hexad ( C.I.A. / Confideniality, Integrity and Availability ) ratings and also the OODA loop http://www.answers.com/ooda%20loop developed by John Boyd for gathering Intelligence and then Execution in Information Warfare.
General News:
I'd also like to mention a recently given speech at Blackhat by Michael Lynn an ex-ISS security researcher because many see it as a huge threat.... basically apart from the DNS root servers, everyone seems to forget about the routers(tm), as with Cisco's monopoly running IOS on most backbone infrastructure, why own 1000's of hosts.. when you can own the network? Ask yourself what else is ubiquitous... remember the SNMP issues and what about BGP or goofin' with the common implementations of the TCP/IP stack out there?
Some really cool people I admire in the Industry ( you gotta be known when you're in Wikipedia/Answers.com? ):
Rob Thomas http://www.cymru.com/
Dan Kaminsky http://www.doxpara.com/
Dan Geer http://www.answers.com/topic/dan-geer
Bruce Schneier http://www.answers.com/bruce%20schneier
Paul Graham http://www.answers.com/Paul%20graham
Some cool Penetration Testing / Information Security Consulting companies:
Security-Assessment http://www.security-assessment.com/
Corsaire http://www.corsaire.com/
NGS http://www.ngssoftware.com/
Information Security Testing Methodologies:
OSSTMM http://www.isecom.org/osstmm/
OWASP http://www.owasp.org/index.jsp
Back to the concept of network visualisation and graphing I have updated:
Sunday, July 10, 2005
Building blocks and giant's shoulders....
Newish stuff.... and references that are always good:
3G Related:
Risk related definitions:
Risk Management http://www.answers.com/risk%20management
Risk Assessmenmt http://www.answers.com/topic/risk-assessment
Law as it relates to IT:
http://www.groklaw.net/
Internet Modelling / Risk Modelling:
NetworkViz http://networkviz.sourceforge.net/
CAIDA http://www.caida.org/
OpenQVIS http://openqvis.sourceforge.net/
Opte Project http://www.opte.org/
LGL http://bioinformatics.icmb.utexas.edu/lgl/
( java'ish )
JASPVI http://lab.verat.net/Jaspvi/ ( very cool ASN mapping )
Tom Sawyer http://www.tomsawyer.com/home/index.php
yFiles http://www.yworks.com/
( http://www.yworks.com/en/products_yed_about.htm )
GINY http://csbi.sourceforge.net/
JUNG http://jung.sourceforge.net/
Piccolo (2d) http://www.cs.umd.edu/hcil/piccolo/
OSS Routing Daemons:
ZEBRA http://www.zebra.org/
OpenBGPd http://www.openbgpd.org/
OpenOSPFd ( coming ) http://www.openbgpd.org/
BGP/RADB/Whois type stuff:
http://bgp.potaroo.net/
http://www.dnsstuff.com/
http://www.traceroute.org/
http://www.bgp4.as/tools
More Netflow tools / info:
Netflow info http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
Extreme Happy Netflow Tool http://ehnt.sourceforge.net/
Quick NOS ( Network Operating System ) Emulation:
http://www.dcs.napier.ac.uk/~bill/emulators.html
DNS:
RDNS Project http://www.ripe.net/rs/reverse/rdns-project/
Cisco OSS Related:
COSI http://cosi-nms.sourceforge.net/
Local Internet Registries AU:
http://www.ripe.net/membership/indices/AU.html
- IBE ( Identity Based Encryption ) http://crypto.stanford.edu/ibe/
- SPAM ( The Penny Black Project ) http://research.microsoft.com/research/sv/PennyBlack/
- UDDI ( Universal Description, Discovery and Integration ) http://www.uddi.org/
- PyXML http://pyxml.sourceforge.net/
- XML Services http://www.xml.org/
- Unicode http://www.unicode.org/
- W3C http://www.w3.org/
3G Related:
- @Stake Research http://www.atstake.com/research/reports/
- IEEE Secure Mobile Communications Forum http://www.iee.org/events/securemobile.cfm
- GSM Security http://www.gsm-security.net/
- UMS Forum http://www.umts-forum.org/
- UMTS TDD http://www.umtstdd.org/
- UMTS World Information http://www.umtsworld.com/
- UMTS TD-CDMA http://www.ipwireless.com/
- Cell Phone Hacks http://www.cellphonehacks.com/
Risk related definitions:
Risk Management http://www.answers.com/risk%20management
Risk Assessmenmt http://www.answers.com/topic/risk-assessment
Law as it relates to IT:
http://www.groklaw.net/
Internet Modelling / Risk Modelling:
NetworkViz http://networkviz.sourceforge.net/
CAIDA http://www.caida.org/
OpenQVIS http://openqvis.sourceforge.net/
Opte Project http://www.opte.org/
LGL http://bioinformatics.icmb.utexas.edu/lgl/
( java'ish )
JASPVI http://lab.verat.net/Jaspvi/ ( very cool ASN mapping )
Tom Sawyer http://www.tomsawyer.com/home/index.php
yFiles http://www.yworks.com/
( http://www.yworks.com/en/products_yed_about.htm )
GINY http://csbi.sourceforge.net/
JUNG http://jung.sourceforge.net/
Piccolo (2d) http://www.cs.umd.edu/hcil/piccolo/
OSS Routing Daemons:
ZEBRA http://www.zebra.org/
OpenBGPd http://www.openbgpd.org/
OpenOSPFd ( coming ) http://www.openbgpd.org/
BGP/RADB/Whois type stuff:
http://bgp.potaroo.net/
http://www.dnsstuff.com/
http://www.traceroute.org/
http://www.bgp4.as/tools
More Netflow tools / info:
Netflow info http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
Extreme Happy Netflow Tool http://ehnt.sourceforge.net/
Quick NOS ( Network Operating System ) Emulation:
http://www.dcs.napier.ac.uk/~bill/emulators.html
DNS:
RDNS Project http://www.ripe.net/rs/reverse/rdns-project/
Cisco OSS Related:
COSI http://cosi-nms.sourceforge.net/
Local Internet Registries AU:
http://www.ripe.net/membership/indices/AU.html
Wednesday, June 22, 2005
Mind Mapping
Been looking for a java based cross platform alternative to TheBrain http://www.thebrain.com/ for some time and just found this, FreeMind http://freemind.sourceforge.net/
Also here is a curses based 'hierarchical notebook' called HNB http://hnb.sourceforge.net/ .. enjoy!
Also here is a curses based 'hierarchical notebook' called HNB http://hnb.sourceforge.net/ .. enjoy!
Monday, June 13, 2005
Standards, standards, standards... open?
- ITU ( International Telecommunication Union ) http://www.itu.int/publications/default.aspx
- NGN ( Next Generation Network ) http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html
- ITU-T ( Recommendations ) http://www.itu.int/rec/recommendation.asp?type=series〈=e&parent=T-REC
- ITU-T (Recommendations X ) Information technology - Open Systems Interconnection - Security frameworks for open systems. http://www.itu.int/rec/recommendation.asp?type=products〈=e&parent=T-REC-X
- X.805, X.810-X.816
- Audiovisual and Multimedia Systems http://www.itu.int/rec/recommendation.asp?type=products〈=e&parent=T-REC-H
- International Numbering Resources http://www.itu.int/ITU-T/inr/index.html
- RFC's ( Request For Comments )
- IETF http://www.ietf.org/rfc.html
- FAQs.org http://www.faqs.org/faqs/ ( Internet RFC's and 'other' RFC's )
- ITIL ( IT Infrastructure Library ) http://www.ogc.gov.uk/index.asp?id=2261
- 3G http://www.3gpp.org/
- COSO and COBIT ( Control Objectives for Information and Related Technologies ) http://www.sox-online.com/coso_cobit.html
- ISACA ( Information Systems Audit and Control Association ) http://www.isaca.org/
- ITGI ( IT Governance Institute ) http://www.itgi.org/
- Sarbannes-Oxley http://www.sarbanes-oxley.com/ ( Publicly traded U.S. companies. )
Sunday, June 12, 2005
Password posts / blogs and tech blogs....
Passwords and Passphrases:
Password and Recovery Tools ( Commercial and Free ):
Tech Blogs:
[MSDN - Microsoft Developer Network] http://blogs.msdn.com/larryosterman/default.aspx
- [Windows] Robert Hensing http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx
- [The Great Debates: Pass Phrases Passwords 1] http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx
- [The Great Debates: Pass Phrases vs. Passwords 2] http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
- [The Great Debates: Pass Phrases vs. Passwords 3] http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint110104.mspx
Password and Recovery Tools ( Commercial and Free ):
- Winternals ERD http://www.winternals.com/products/repairandrecovery/
- @Stake LC http://www.atstake.com/products/lc/
- UBCD ( Ultimate Boot CD ) http://www.ultimatebootcd.com/
- STD Knoppix http://www.knoppix-std.org/
- Rainbow Tables ( Pre-computed attacks ) http://www.antsight.com/zsl/rainbowcrack/ http://www.rainbowcrack-online
.com/ - Bart PE http://www.nu2.nu/pebuilder/
Tech Blogs:
[MSDN - Microsoft Developer Network] http://blogs.msdn.com/larryosterman/default.aspx
Subscribe to:
Posts (Atom)