Home » Data Protection » Network Security

In Depth

The World Is Your Perimeter

The castle-and-moat era of information security is over: Now it's described as woven cloth, submarines, onions and Snickers bars. How will CISOs translate nutty metaphors into secure worldwide systems?

By Christopher Lindquist

Page 4

Tools such as these, however, lead to a different security metaphor, in which the model begins to look less like a brick wall surrounding a city, and more like oil and water on a sheet of glass, where the oil drops represent untrusted connections. When water drops touch, they instantly merge, each drop intrinsically containing the properties necessary to have it combine seamlessly with other trusted resources. Oil drops, meanwhile, can't make the connection, leaving them on the outside looking in. The model also makes sense when you consider internal threats: The technology that allows for secure outside access could do the same for internal employees.Back to TechMeanwhile, Palmer says, other technologies will enhance security on a more granular level. One possibility includes having applications come complete with descriptions about what normal behavior looks like, allowing monitoring systems to easily identify potential attacks.

This approach to perimeter security will become critical as Web services get more pervasive. John Dias, senior security analyst at the Department of Energy's Computer Incident Advisory Capability, says Web services has the potential to allow very complex applications to inhabit systems simply by coming through Port 80. That means more risk—risk that Dias would like to see mitigated by tools that check the validity of Web services applications at the perimeter.

Dias is part of the Organization for the Advancement of Structured Information Standards' working group developing the Application Vulnerability Development Language (AVDL), which would allow applications to tell AVDL-compatible firewalls what kinds of behavior to allow—and what to stop in its tracks. "That approach is going to be more effective for what's going on today," he says.

Mike Rider, professor of electrical and computer engineering and computer science at Carnegie Mellon University, envisions a time when security looks less like a wall of bricks and more like a wall of organic cells, full of diversity and redundancy, and naturally designed to fight off attackers. A similar concept underlies the (controversial) paper recently advanced by security luminaries such as Dan Geer and Bruce Schneier.

"How do biological systems survive? With lots of cells, all diverse," says Rider. "They don't all share common vulnerabilities. [You could] apply these techniques within computer systems." Rider says Carnegie Mellon is doing research on systems that redundantly check each other for the results of possible attacks, similar to what happens in modern fault-tolerant computing.

Diversity, however, gets more complicated. Instead of shipping millions of copies of identical applications, software providers could make minor, random changes in each, modifying their profile (but not their function) just enough that exploits would affect only a small percentage of the total.