Risque Management : Architecture

How not to make decisions

Slav — Mon, 13 Apr 2009 01:39:00 GMT

In the past week, I had a number of discussions about information securtity and technology in general. With colleagues, we identified few common patterns about decision-making in corporate environments - and those are case studies on how decisions shouldn't be made. Here's examples:

We need mature solutions. Can anybody define maturity when it comes to IT? Is Intranetware mature solution for network file and print services? Whenever you hear maturity or business acumen, or something like that, reach out for your wallet. Fact: early adoption of technology works better in most cases. That's because you have better support from the technology partner, more features, more time before upgrade, and staff that feels good because they are working on something new.

Everyone else does it, so it must be good. This is the "best practice" fallacy. Cases in point: do not broadcast WLAN SSID; VLANs are for security; and multihoming servers (and having separate physical connections to different security zones) is a security feature. The myths don't withstand reality check (eg scenario-based threat analysis) but they persist in minds and get embedded in assorted standards like PCI - resulting in costlier infrastructures that are more complex to build and support.

We don't really know what we're doing but let's do it anyway. Tha is, decisions large and small are made based on uncertainty and lack of knowledge. Cases in point: we don't know what this software update is doing so let's have full system restore as the backout plan; I heard that virtual machine will have some kind of issue running our application so please use physical (the last one comes from Microsoft engineer, no details as to the issue given despite repeated questions); and we don't know how the database server will perform when the database size will reach 4TB so let's go Oracle RAC. If you don't know what the software update is doing - find out by looking in the installation package. If you have concerns abouth the database performance - create performance baseline and try to come up with automated stress test of some sort; the database size itself doesn't mean much.

Decisions should be made based on knowledge and facts.

Pictures at a VMWare Exhibition

Slav — Mon, 29 Oct 2007 02:30:00 GMT

Not really pictures but few notes from recent VMWare Virtualisation Forum - the regional mini-VMWorld. It started with a lot of pictures - trees, water, animals and I think smiling babies.When an event starts with those, expect a lot of marketing dung - and we got plenty in a day. For example, one of the VMWare keynote speakers said that virtualisation is the only way to manage hardware resources efficiently. Or, in BEA's leaflet words: Virtualization: Same Servers, More capacity. As if the hypervisor and the OS image per each guest take none. Or this apparent inefficiency is compensated by flexibility allocating more resources, should the need be. If you cannot effectively manage resources on physical servers, you're likely to waste those in virtual. Virtualisation just gives a chance for a fresh start - and some different tools.

VMWare's updated product line includes a OS patching solution that will allow patching systems that are shut down. Virtually shut down, of course. I believe this is the industry's first. My concern is that VMWare is losing focus: they shouldn't really go into patching and software delivery.

Both EMC and Network Appliance were presenting their storage offerings. Virtualisation requires shared storage, and those vendors are ready to sell - at premium price. One thing they aren't interested in is storage enterprise commoditisation (despite the fact that commoditisation will allow them to enter mass market). But NetApp mentioned something that is definitely worth noting: good old NFS provides solid and viable alternative to Fibre Channel- and iSCSI-conected storage. This blog explains why: VMWare over NFS. Suddenly NFS is making a comeback. Enterprise-class virtualisation with commodity and/or open source storage is coming.

Also both storage vendors presented their backup offerings. Two main points: direct-from-storage backups and data de-duplication. Watch the space - backups may finally become reliable and usable!

IBM was touting new server. While doing that they have admitted that big-iron, multi-CPU approach is much better than using blades. Surprisingly many people believe that blade servers are the best for virtualisation - in fact, the opposite is true.

Wyse and HP pushed their desktop virtualisation solutions - e.g. thin clients. After so many failures, will thin client solutions succeed? I'm sceptical. Virtual desktops tend to be more expensive than traditional desktops. But the functionality is less crippled this time around - thanks to full dedicated OS image per client.

Overall, virtualisation drive is a welcome shakeup of the industry. But promises - and expectations - tend to be overblown.

Zero-knowledge Intrusion: upcoming 2600 article

Slav — Mon, 17 Sep 2007 09:20:00 GMT

Soon 2600 will publish my article on practical NIDS avoidance. As soon as it comes out, it will be on my Web site.

The magazine is quite an interesting reading - sometimes entertaining, sometimes educating, never boring. I'm glad to contribute.

Single authority principle

Slav — Tue, 15 May 2007 09:04:00 GMT

One of the biggest issues in today's IT architectures is overengineering. Excessively complicated solutions are bound to be less reliable and secure. Any other component in a solution is potential point of failure. Well, not necessarily in terms of reliability (clusters, you know) - but certainly from security point, as it adds potential vulnerability and attack point.

And it creates some interesting issues. An example is a popular approach to identity management: using HR database as a "source of truth" about company staff. The corporate directory (your AD, or NDS) is populated from the HR database, using middleware. If you're using same corporate directory for controlling access to the HR database, that will result in an access management chicken-and-egg problem: who is the authority? Besides, now attackers have two targets for taking control over entire enterprise infrastructure (and middleware, the identity management system, is the third equally important). The approach avoiding that situation is developed centuries ago by the world's military: use single authority.

Using HR database as the source of truth does make sense, as it contains information about those who are paid by the company. However, it so happens, incidents that are most difficult to investigate are not caused by paid staff using their own accounts. Few years ago the security industry was shifting its focus towards malicious insider. But recent events prove that classic intrusions without apparent access abuse are still big threat. Take TJX and their insecure wireless network. Nevertheless, we should soon see more close integration between business systems like HR, identity management solutions and corporate directory. Oracle is making steps in that direction already. I like Microsoft's Active Directory and would like to see some effort in that echosystem as well.

But that is a move towards identity and access management based on military principle. It would be very interesting to see a system that is based on democratic principles. That is unseen so far but may well be an interesting change in the enterprise space.

Measuring efficiency of systems management

Slav — Thu, 03 May 2007 09:00:00 GMT

Have you ever wondered how efficient your systems management is? Here's some questions that will allow you to create some metrics of that:

How many network interfaces are currently connected to your IP network?
How many hosts are there, and what OS are they running?
For each OS, how many systems are up to date with the latest patches?
How long did it take to complete the latest patch cycle (that successfully updated 100% of the OS population)?
For the systems that run an antivirus/malware protection, how many are up to date with the latest configurations?
How many users are currently conected to the network?

Except for the last one, you should have a way of answering those questions. If you don't then you can stop pretending that the systems connecting to your network are actually managed.

You can as well remove the network from the picture (maybe because endpoint security is not there yet) and consider the entire fleet of computer systems that belong to your organisation. But I reckon that won't help much answering the questions. How do you know what's on the system that hasn't connected back to your network for three months? Information about its patching and malware protection state, application environment and the user is not available. So perhaps we'll have to wait for the system to connect back to network where it can be managed (which brings us to question 1)?

No. The Internet is also your network. And there is a good model to follow for systems management: BlackBerry Enterprise Solution. It allows to buy a device off the shelf and build it to become a part of your enterprise - securely. It is location- and connectivity-independent. And it allows to configure the devices in a way that they self-destroy after not calling home for extended period of time. restrictions do apply here but this is where it's going. So at every point in time you have reasonable idea of the current status of your systems - and the answers to the questions above. Restrictions do apply here but this is where it's going. I'd like to see similar type of approach implemented for Windows and UNIX/Linux workstations.

The alternative is to give up the workstations and concentrate on the server room/datacentre security. It should be easy to provide the metrics for the server-only environments. In this case, document control becomes a real issue. Perhaps thin client access will help? Maybe, but I'm not overly enthusiastic about taking away the sense of my computer from the users. And thin client environments can be spectacular disasters.

Good systems management has everything to do with security - they go hand by hand. It is a responsibility of security administrators too to make sure that the systems are properly managed. Another responsibility is to model the situations where systems management will fail (due to intrusion, or negligence), and have a plan for the response. But if security management excludes some systems and users that have access to your information, however insignificant they are - that becomes the weakest link where the entire organisation's information security fails.

Network QoS: a losing game

Slav — Fri, 13 Apr 2007 08:57:00 GMT

Achieving a reliable quality of service (QoS) mechanism on the networks is a long and unfulfilled dream of network engineers. As circuit-switched networks are becoming a rarity, the concern of bandwidth starvation doesn't go away, and QoS topic is lively as ever.

Looking at history of the subject, we can make an interesting observation: all attempts at the network QoS are some kind of a failure. It all started when IP, the Internet protocol, was in its infancy and SNA (IBM's Systems Network Architecture) was looking as respectable business-oriented universal network protocol stack candidate. SNA introduced a concept of class of service back in nineteen-seventies. Search for TERMPRIORITY for details. For example, this one:

Transaction processing priority is equal to the sum of the terminal priority, transaction priority, and operator priority, not exceeding 255.

Amazing idea. It went nowhere.

Internet Protocol was born and raised without QoS. Every now and then people asked - Why my downloads are so slow? Can we really talk online? And (this is really one of the FAQs) - how do I make sure that the boss doesn't notice that hundreds of other people are using same channel to the Internet?

Implementing QoS was one of the suggested answers. Early on, a byte in the IP header was allocated for TOS, the Type of Service - but its definition is ever-changing. We had a protocol with cool name RSVP. We have diffserv. Microsoft incorporates QoS features in Winsock - this actually helps to solve the boss problem... But network guys aren' Windows guys so identity awareness is out of question, and application awareness is rather limited: protocols that use dynamic port ranges and those tunneled through HTTP (and perhaps SSL) both are not supported by router-based traffic shaping - the favourite QoS solution. Which is only manageable in point-to-point scenarios and quickly becomes a nightmare as a enterprise network grows.

Meanwhile growth of demand for bandwidth doesn't seem to slow, and kilobyte a second tends to be cheaper every year. So the real solution to the bandwidth shortage is increasing the capacity of communication channels. Same as it always was. And those dreaming of network QoS may as well use avian carriers for data transmission.