Port Puppets Please Stand Up
I generally stay out of the line of fire when there’s a religious war raging. I was going to stay out of this one, too, but the temptation is just too much (and the flesh is weak, etc).
I admit it - I’m one of those “port puppets” that Chris Hoff refers to. I kind of like the term, it has cachet to it, and might even look good on a T-shirt.
In case you aren’t following the religious wars going on in the security blogs and elsewhere, let me bring you up to date.
It goes like this. If you are in the client software business, then security has to be done in the endpoints and the network is just dumb “plumbing,” or rather, it might as well be because you can’t assume anything about it. If you sell appliances that sit here and there in the network, the network sprouts two layers, with the “plumbing” part separated from the “intelligence.” Makes sense, I guess. But if you sell switches and routers then the intelligence must be integrated in with the infrastructure. Now I get it. Or maybe I’m missing the point, what if you sell both appliances and infrastructure?
The odd thing is, just like in real life, everybody’s right and everybody’s wrong, but nobody’s completely right and nobody’s completely wrong. Taking an actual real life analogy, you wouldn’t park your car in a dodgy neighborhood without worrying whether the door locks and alarm were enough to prevent a breakin. You’d feel a bit more secure with something more happening on the street, say, a cop walking his beat, or the car in a lot or garage with an attendant. Similarly, you wouldn’t tolerate burglars coming up and routinely rattling all your windows and doors looking for the one you forgot to latch. No, you would lock the doors, maybe get an alarm system, and call 911 if it happened. So why leave your endpoints, the ones that have all those vulnerabilities that created the security industry in the first place, to be hit on by bots, “guests,” and anyone else that wants to? I don’t know about you, but I would want both something on the endpoint, knowing it won’t be 100% but better than nothing, and also something in the network to stop the nasty stuff, preferably before it even got in.
Now, let’s talk about getting on the network. If the switches are just dumb plumbing they will blindly let anyone on, friend or foe, so you at least need to beef up the dumb plumbing with admission enforcement points. And you want to put malware sensors where they can be effective, ideally close to entry points, to minimize the risk of having the network infrastructure taken down. So, where do you want to put the intelligence, close to the entry enforcement points or someplace further in the bowels of the network where the dumb plumbing might have plugged-and-played a path around your expensive intelligent appliance?
If the appliance is to be effective, it has to sit at a choke point and really be and enforcement point. And it has to have some smarts of its own. Like the secure switch that we make.
Joseph Tardo, Ph.D.
Well done, Joseph. Fair and balanced.
The funny thing is that if you read my blog across posts, it echoes what you say; I talk about network overlay, host-based, and data-centric security.
The departure point for me is that what you describe in terms of the security functionality embedded in the network isn't "intelligence" at all...it's the low hanging implementation of admission control with an extension to access control...with IAM tied into it.
Intelligence? Do tell.
...at any rate, you're right about one thing inasmuch as this is a religious debate which is why I practice polytheism... ;)
I wonder, however, would you consider Nevis a security company or an infrastructure company. If you answer "both" you'll highlight the issue at hand.
I'll follow-up with a blog entry.
Thanks for the discourse.
/Hoff
Posted by: Christofer Hoff | June 15, 2007 at 01:47 PM