With the exponential growth of virtualization and its leverage at the enterprise, it is getting more and easier to create a replica of a solution set at any virtualization ready host farm.

Until recently, when talking about a solution replica that involves large data sets, sophisticated servers, and enterprise infrastructure; the default destination target for an “unapproved” copy of this solution set was restricted with enterprise networks vicinity.

Not anymore: Now that we have the full automation from cloud service providers and sophisticated cloud orchestration software/service providers – it is not very difficult to replicate an enterprise environment at the service provider facilities.. And let’s go with the jargon and call this private cloud. And maybe even today, your enterprise networks vicinity already extends into some sort of private cloud hosted at an undisclosed location.

So who will be monitoring the “Rogue” copies of the private clouds?

How will you ensure that your private cloud has not been exported/imported into an undisclosed location for some further development tests?

If you believe that this is a low probability risk, the you should try to export a system to one of the cloud infrastructure service providers, you will see that the process is quite straight forward.

As a security practitioner, you all know that there are some controls to monitor the rogues. The easy ones are:

1-      Establish strong administrative control and change management monitoring on all virtualized systems,

2-      Make sure that all snapshots, backups, copies are encrypted and the keys are not portable (use DRM solutions or encrypt with key managers like RSA RKM and maybe some DLP),

3-      Monitor network anomalies for large dataset movements, and control I/O to tapes/DVD drives and all attached storage types.

And then the new technology will soon allow us to:

1-      Utilize Intel TXT type of hardware checks to marry VMs with your platforms .Since hardware and the OS are decoupled with today’s virtualization (which is an advantage)  maybe it is time to go back and revisit the hardware authentication options  like Intel/McAfee’s deepsafe,

2-      Ask developers to write location aware applications,

3-      Embed LoJack/Anti-theft into virtualized machines.

Proactive vigilance will help prior to having the actual problem and it is also reasonable to modify the security policies with the statements like:

“Thou shalt not run corporate applications on unapproved platforms”

Cheers,

-    yinal ozkan

p.s. This platform does not allow "easy" comments, you may reach me at mail@yinal.net , or twitter

I get too many marketing hits on how next generation firewalls should be..

Every vendor claims to be the next one,  I have even read a book named “Next-Generation Firewalls For Dummies”.. These are all positive attempts to fix the well known limitations with enterprise firewalls of today.

The notes you will read below are not about a particular vendor, but they may help you to evaluate your next firewall RFI.  I guess the idea is to describe next generation firewalls for large scale shops with the ultimate needs of a sophisticated firewall... In my view, it does not make sense to call any firewall next generation if that firewall is available today…. – At best, it should be called current generation firewall (CG-FW  : )…

Having finished 2 major next generation firewall evaluations projects in the last 2 years here is how I think (this is a rather long list so reach me at mail@yinal.net for any questions):

Firewall Policies: 

Firewalls should filter more than 5 tuples (protocol, source IP, destination IP, source port/local process, destination port/remote process)

Classic Rulebase

So the idea is simple, in the Next Generation firewall we should be able to like firewall rules like the following:

Source: User Identity+Location+Device Type+Device Status+Authentication Type – That means source IP does not cut it anymore, my NGFW should process my source based on my authorized roles (AD, LDAP, RADIUS or federated IDs). NGFW should understand if I am within the perimeter, or just coming out of VPN connection, or I am simple at Starbucks (Map user auth levels to location)

At the end user yinal.ozkan could have gained authorization at many different platforms and locations.

My NGFW should understand if I am using an iPad or a blackberry, or a corporate laptop, at Starbucks or at the headquarters inner wireless connection.

The source field should also tell if I got authenticated just with a single factor or I am on a way secure connection with biometric authentication…Integrating federated IDs (e.g. OPEN ID , facebook) will be a big security challenge.

Firewall should also tell if I am using a secure device and my access device matches the corporate security profile (e.g. no P2P / split tunnels active etc  --end point posture checks) .

Destination: Destination field should be able to support FQDNs since nobody is using a single IP address anymore, and the FQDNs should be dynamically checked bidirectionally – for example voice.google.com may have 100 IP addresses around a the globe, and my firewall should block all those addresses with or without name resolution when I write voice.google.com at the destination .

Service: it is no more port monkeying for the service, modern firewall recognize the applicatios, the service field should support applications, and applications within applications such as Facebook News Feed, LinkedIn Messages, Skype File transfers.. This requires a very good application detection engine where lead vendors are working hard to deliver good protocol analysis engines.

Action: Action is no more accept, deny, drop new action filed should be able to serialize actions such as authenticate, posture check, DLP, IDP, DPI, rights check, encrypt/decrypt, filter, cache etc.

Logging: Logging is not about sending logs to proprietary log repository. Encrypted shipment of reports to a tamper proof location is needed. This is no simple task,. Also logs should include NetFlow data, not just the regular access logs, several security triggers from IDP, DLP, Filtering, Anomaly Detection, Content Inspection Engines should be correlated. Support for multiple log feeds are essential.

Firewall Objects: There are usually 2 types of objects: Service Objects and Network Objects.. They usually support applications, subnet type of groupings. What you should be checking is to be able to define administrative privileges per objects (who can see/use/modify these objects) . Proper rights management for objects help you to get proper RBAC and segmentation. Another common problem with the objects is the support for Nested groups, Nested groups with exceptions, and FQDN based  objects

NAT: NAT should support changing of every single field in IP packet not just the source and destination, it should be simple to write a NAT rule where you modify Source, Destination, Port and the IP options of original and returm packets..

Firewall Features

Firewalls as the gateways are becoming melting points for several network based technologies so it is fait to ask different security features. Ther trick is not about asking 10 solutions running in 1 hardware – it is about having integrated security.. As an examples if IPS / FW and WAF can share intelligence that is agood solution, if IPS/FW/WAF/NAC/SIEM/DLP and Content Engines share features it is even better. Correlation and the visibility of threat intelligence is the key point.

The security features I would like to see on a firewall are:

·         Policy features above

·         Intrusion Detection / Prevention

·         Protocol Analysis Engine

·         NetFlow Analysis Engine

·         Network and Endpoint Baselining and Anomaly detection

·         Content inspection (AV/Malware/Spyware) with Decryption engine

·         VOIP gateway and support for different multimedia protocols

·         URL Filtering

·         DRM Checking

·         DLP

·         XML Gateway Security

·         Web Application Firewall (Ability check response traffic)

·         NAC integration

·         And regular firewall features such as stateful engines, custom app proxies (multicast, MSRPC,  SIP, H.323 etc) , VPN engines, Authentication Integration etc

Platform Features

It is not always about security, the platform should answer the need for speed, reliability, scalability and flexibility so here is the wishlist

The Platform Features that I want to see on firewalls are:

Ability to scale from so-ho to data center level (from 10Mpbs to 1Tbps) with a similar firewall base – with various hardware offerings

Support for low latency (anyone below 20 µs. for trading floors?)

Rock Solid routing stack. Support for dynamic routing protocols such as OSPF, RIP, BGP, PIM Dense Mode (PIM DM), PIM Sparse Mode (PIM SM), and even PIM Sparse-Dense Mode (PIM S-DM : ) And support is not about traversing, it should also work with stateful route failovers

Support for VRFs

Support for Layer2 inline operation  (there a lot of catches since all vendors somehow support L2:Which features are lost in L2 mode? –this is what you should be checking the delta between L3 and L2 modes)

Support for different link aggregation implementations (check with your R/S vendor like lacp (802.3ad), vPC,  MLT/ Link redundancy on interface level is also nice.

Support for QoS – Every inline device must understand QoS

Ability work in virtual environments (Anyone works in VMware or XEN or Hyper-V) Any support for VMSafe? IS it different than regular firewall?

Ability to support clusters with more than 2 members (linear scalability)

Non-blocking planes on chassis based solutions, so that total tput claims are met.

Ability to be integrated into the routing and switching systems (this one is high in the wish list)

Management Features:

Central management is the key but it is not enough, firewall central management should share single object database and syntax with joint solutions such as IDP, Content Inspection, NAC etc

·         1 to 1 Feature match on GUI and the command line so that multiple management methods do not exists

·         Ability to manage gateways from central console, local GUI and command line

·         Management Server HA with more than 2 servers. Support for cluster members in multiple datacenters with different L3 settings, ability to communicate over NATted links and other firewalls.

·         Single Central Management Console for Firewall and the underlying OS (Check Point hear me)

·         Visualization of managed networks

·         Ability to manage ACLs on Routers and Switches

·         Device provisioning support / support for templates

·         Solid change management and roll back features ( do any firewall vendor check Tufin, Algosec, Firemon etc?)

·         Access analyzer , rulebase change simulator (Yes like RedSeal and Skybox)

·         RBAC on rules, gateways, objects and zones. If the firewall system is integrated (e.g. there a router/switch or URL filter on it) security functionality must support role based security specific access)

·         Import and export rules objects from different firewall management systems

·         Ability to script /schedule changes

·         Automated licensing  with asset management / contract-support agreement tracking: this feature is a very important one in enterprise shops. When you have over 20 firewalls in 20 countries, managing support contract and licenses become a full time job, your management system should handle this.

·         Ability to get management access to gateways behind NATted routers (good feature for so-ho type of firewalls)

·         Flexible object and rulebase search features (If Google can do why not your firewall vendors do it)

·         Transparent integration with in the cloud security offerings

·         Ability receive security intelligence feeds from security vulnerability research house and turn them into rules …(e.g. Secunia, iDefense, Deepsight)

·         Ability to run in a VM (this is big lately)

Again, this is quick dirty wishlist for experienced firewall architects without prioritization, let me know if you need clarification or further expansion in different areas.

cheers,

- yinal

Many of the veteran security practitioners reading this blog will share my frustration with the security expectations set for Network Address Translation (NAT).

For some reason, many of the IT Community members believe that NAT is securing their networks. I am not sure where this schism originated, but I think that it is now security practitioners’ task to get the word out: “NAT is not security”

NAT was originally a good idea to address a very basic problem, IP address space depletion… That was it, create more IP addresses, that was the intention.

Later there were more repercussions of creating “private IP spaces”  a.k.a RFC 1918 – the new problem was overlapping private addresses.  Many network administrators believed that NAT was the fix for overlapping IP addresses without thinking that they would never have overlapping IP addresses if they could use proper public IP address blocks at the first place. Within this mania I have seen large institutions shelving their B Class address spaces to “secure” their networks.. That is simply wrong. Did you ever read RFC 1918?

The security risk that I was told was “How can you allow regular systems to communicate with Internet?” . The answer is very simple, if your systems cannot communicate to Internet because of NAT, then you have more serious security issues.  Communication between trusted and untrusted networks must be controlled by Access Control, not an obscure configuration like NAT.. (Firewalls, Anyone?)  If you forget to control access to public networks and you feel good because NAT will secure your networks then you may also say , “Oh by the way I do not route those networks so I am secure” Again, that is not security.

I can count a lot of reasons why No NAT is good NAT, but I may quickly underline that IPv6 is sans NAT; NAT belongs to previous century. Without complex NAT rules, we can generate easier firewall rules, we can have a sharper view on network flows and secure systems better. Firewalls are not for IP packet monkeying, they are built for securing the networks/applications and eventually securing your data.

cheers,

- yinal

p.s.

i - “No NAT is good NAT” is one of the 3 Maxwell Firewall Rules (I had the opportunity work with Doug Maxwell years ago) Here are the Maxwell Rules in Firewall troubleshooting:

1- It is always routing

2- No NAT is good NAT

3- S.. don’t work

ii- I found this article after I have written the blog post above: http://www.enterpriseefficiency.com/author.asp?section_id=1129&doc_id=207283  It turns out it is not just me..

iii-RFC 1918 - http://tools.ietf.org/html/rfc1918

Many of the security logging discussions center about the following topics:

1-      Log Collection

2-      Log Transport

3-      Log Storage

4-      Log Taxonomy

5-      Log Analysis / Correlation

6-      Log Protection / Security

These are all good topics but a very important topic is rarely discussed, and it is usually the most important one:

What are the security logs?

It is easy to work with security devices (Firewall, IDP, DLP, AV etc), their logs/alerts are classified as security logs, but what about regular applications or infrastructure components that are not build as a “security device” or security in mind? Do we need to process all logs from these devices? Which logs are more important?  Which logs go to “security” queue?

Let’s go with example, if you are the security architect, what would you recommend to a system owner who came up with a new application that writes the logs to a flat file or a database? Even if the logs are shipped to a syslog collector or an OS log queue; does it change the question?

The question is same “Which” logs? What do you want?

Here is a quick check list of activities to ask for the logs:

1-      Logs for all access (User, Admin, Service, Application etc)

2-      Logs for all changes (changes in monitored files, configurations, hardware,software – MACD logs)

3-      Logs for critical transactions in the applications

4-      Logs from user repository (e.g if AD, LDAP, RADIUS is used) access, change and transaction logs from user repository

5-      Logs for anomalies (changes in baseline activity, failed attempts, unexpected connections etc)

Since a security architect cannot know all applications, this is a good start to communicate with 3^rd party developers and application/system owners for security log generation.

For a structured approach here are a few good reads to start with:

NIST 800-92, Guide to Computer Security Log Management

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

Common Event Expression White Paper (also has a history on other initiatives)

http://cee.mitre.org/docs/Common_Event_Expression_White_Paper_June_2008.pdf

Watch Your Logs! Quick intro

http://www.issa.org/Library/Journals/2007/July/Malatesti%20-%20Watch%20Your%20Logs.pdf

Microsoft's The Security Monitoring and Attack Detection Planning Guide http://www.dabcc.com/documentlibrary/file/MicrosoftreleasesanewSecurity,MonitoringandAttackDetectionWhitepaper.pdf

You know the story; if your systems/applications store transmit or process credit card data, you must meet PCI data security standards.

Since Q4 2010 all PCI shops are aware that their Cardholder Data Environments need a risk ranking procedure.

But, What is it and how does it change current practices?

PCI DSS Requirement 6.2 says "Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities"

And a new recommendation may certainly effect how you manage risk…

This recommendation (which will be a requirement by June 30, 2012) can be classified as Risk Management 101, and yet it may change several cornerstones of your processes.

Here is what 6.2.a is asking for:

1- Check your processes for identifying new security vulnerabilities (make sure you have one)

2- Assign risk ranking to identified vulnerabilities

6.2.b Continues with the  recommendation that you use and outside source for this risk ranking process.

This translates into a solid scoring system for risk. Enterprise options to collect data for a scoring system are:

1- Vendor Security Alerts

2- Vulnerability Management Advisories (Usually security scanner, and IDS/IPS shops)

3- Vulnerability Intelligence Advisories (e.g. Secunia, iDefense, Deepsight)

4- Internal risk scoring systems (yes we all love academic endeavors - that is why PCI SSC asks for "outside" source : )

Either way (using one of the options, using some/all of them) PCI recommendation 6.2 will push risk management practices in the right direction and make risk prioritization a priority...Eventually PCI shops will (6/30/2012) integrate risk management with vulnerability scanning devices, security alerts, advisories and patch management solutions to audit and validate PCI 6.2 with risk rankings.

Here are a few good links:

Common Vulnerability Scoring System (CVSS-SIG) - http://www.first.org/cvss/

Common Vulnerabilities and Exposures -CVE - http://cve.mitre.org/

National Vulnerability Database - NVD - http://nvd.nist.gov/

Secunia - http://secunia.com/advisories/

Verisign iDefense - http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/index.xhtml

TippingPoint Zero Day Initiative ZDI - http://www.zerodayinitiative.com/advisories/upcoming/

Symanted DeepSight Alert Services - https://tms.symantec.com/

Cisco Security IntelliShield Alert Manager Service - http://www.cisco.com/en/US/products/ps6834/serv_group_home.html

IBM ISS XForce - http://www-935.ibm.com/services/us/iss/xforce/

VUPEN - http://www.vupen.com/english/research.php

McAfee Threat Intelligence Services (MTIS) - http://www.mcafee.com/us/mcafee-labs/technology/threat-intelligence-services.aspx

Bugtraq -http://seclists.org/bugtraq/

Full Disclosure - http://seclists.org/fulldisclosure/

Great results are not achieved by mediocre teams… Building the right Information Security team does matter, and usually it becomes a full time task for the owners of Information Security initiatives at today’s enterprise.

Information Security domain might be hot, and we may have a positive influx of talent to the sector, however finding the right people with right skills sets at the right time and the right cost is close to impossible.

This post has no intention of questioning/changing years of HR practices – the goal is to give feedback from the enterprise Information Security field and to create useful short order cook content that can quickly be consumed within the next 15 minutes for the upcoming interview you are conducting…

Here are my experiences with finding/hiring talent in Information Security:

1-      Do not reinvent basics. As Buffet/Gates duo has stated the great talent should have the 3 basic skills:

• Technical Skills (This is standard – I will dig into this item more down below)
• Conceptual Thinking (Seeing the big picture)
• Communication Skills (This is not talking too much as perceived by many engineers. Effective communication is a very valuable skill in all team deliverables

It is usually simple to find any one of these skills in an individual, but when you find 3 of them together never miss the opportunity, these people will carry the workload of many!

2-      Have the right pyramid mix of talent in your team: Complex projects require good leaders who can set the target, coach others, lead by example and more important than all great leaders can take the team from A to B. Then you need good managers, who can plan, organize and delegate. It is usually a good practice to have managers who cut their teeth in project management and financial management offices. Last, but not least, the engineers (or consultants). Based on the size of the project, you must determine whether to go with specialists or generalists. This is a big decision point. The more specialists you have, the more integration glue (architects, project managers, program managers ) you need.

3-      Since generic HR topics are not my intention here, I will skip managerial skills and focus on finding the right technical resources. Project based deliverables do not require that much real-time information. Therefore, it does not make sense to filter candidates based on closed book random interview questions. My recommendation is to measure their knowledge so you may level them based on knowledge. This is management basics -  data to wisdom:

• Ask them questions starting with who?, when?, where?, what?? If you can get good answers that means your candidate has “information”. Your candidate is probably familiar with the topic.
• Ask them questions starting with “how?”. If you can get good answers that means your candidate has knowledge. This is a clear signal of experience.
• Ask them questions starting with “why?” If you can get good answers to “why” questions that means your candidate has the wisdom and the conceptual thinking skills that you are looking for.

4-      Specialists: Being a specialist does not create a rain check to omit basics of information security. I have met several consultants who were very familiar with compliance but did not understand the technical tools, or I have seen great application security people with zero understanding of network basics. The trend is to have good understanding of all domains where you excel in 1 or 2 of the domains as a specialist. Interviewing specialists should have 2 different class of questions to gauge:

• How much do they do they own their domain of specialization?
• How much do they understand about how other domains work?

5-      Generalists: I believe there are 2 types of generalists you can trust in Information Security:

• New Grads with no experience
• Project Managers, Auditors, and Managers (usually go well with the certificates like CISSP, CISM etc)
• If you are interviewing a candidate with over 3 years of Information Security experience with no particular specialty that is a big red flag.

6-      Send consultants the questions that you will ask in advance. This will eliminate the “it is not at the top of my head /it has been a while” excuse. Since you send the technical interview questions in advance you can ask any particular sub question. This asynchronous Q&A style is more close to real life. This way you can also ask really tough questions as well.

7-      Ask for a sanitized copy of deliverables from the past assignments. Good samples are good indicators of pitched skills. Obtaining samples are problematic especially in Information Security due to security and Intellectual Property concerns but checking is better than not checking.

8-      Classify Information Security resource types (this is subjective) Classification will help you to identify your candidates specialty, customize your questions and assess them more evenly. In today’s IS world, I see the following backgrounds We can dig into each area in separate articles. Here is the bird’s eye view for the 15m intro:

• Network Security Specialists: This is the most abundant resource.  Most of the resources have strong networking background and they do have operational and engineering know-how about common tools like firewalls, IDP, content security, OS hardening.  Ask for the enterprise know how instead of small shops, that is completely different skill-set. It usually makes sense to get “Security Operations” resources from this background since their operational background fits well with the SOC (Security Operation Centers)
• Vulnerability Testers:  This is another domain where you can find a lot of resources. (not necessarily the best ones) From network testing, to penetration testing, this area requires a lot of technical skills. Ask for methodologies, frameworks, references and sample deliverables in addition to basic checks. Network Vulnerabilities, Application Vulnerabilities, operational Vulnerabilities, and the Physical Vulnerabilities are different so make sure that you have the right skill sets.
• Single Domain Specialists: If your project is big enough you can acquire a domain specialist (e.g. SIEM) or a technology (e.g. RSA envision) specialist. Be sure to question other skills as discussed above. DLP, DRM, Virtualization Security,  Social Media, and Mobile Security-type of next generation projects usually require specialists so it makes sense to start with a consultant specialists to acquire the skills sets.
• Application Security Specialists: Securing SAP, Siebel, Oracle is a life time goal. It does require life time experience. Again the same rules with hiring specialists.
• Desktop Security: Understanding desktop security is different than all other security areas where the end users are non-IT users. Lately desktop security domain is crisscrossing a lot of other domains like NAC, 802.1x, VDI so be very careful to filter.
• Code Security: This is a hot domain, possible candidates interact with application security, vulnerability testing. It is not possible to understand code security in every development framework so an eclipse environment  expert cannot be very useful in the .NET environment
• Security Architects: Even if you see a lot of titles with Security Architect, the real ones are tough to come by, look for understanding of EA frameworks like TOGAF, Zachman etc. Also look for special frameworks like ISO 27001, CoBIT, and NIST. Generic frameworks like ITIL, 6 Sigma, and other compliance frameworks are important. In addition, look for perfect understanding of operations and the technology.
• Compliance Specialists: Audit background helps. Top 4 experience helps. Compliance has 2 important parts, meeting compliance and an accreditation. Make sure that you acquire the right internal resources to meet your compliance goals.  Instead of going with multiple security compliance specialists, it will make more sense to build an information security management program that can answer the common 80% requirements of all frameworks.

9-      Classify candidate backgrounds based on the verticals; it makes sense to find Information Security resources with vertical specialization. I find it amusing to mark “government” background as we start discussing topics with “cyber” word… So far I have seen the following backgrounds in the field. Based on your project’s requirements, different backgrounds provide different outcome.. You can find Information Security professionals with the following backgrounds

•   Enterprise
  • Financials
  • Healthcare
  • Manufacturing
  • Utility
  • High Tech
  • Media
  • Other
• Government
  • Federal
  • State
• Military
• SMB
• Consultancy
• Higher-Ed
• Service Provider
• New Grad
• Vendor
• Reseller
• Out of Sector

Wrap Up: Look for talent with specific skill-sets – To help you better identify the right skill sets, customize your questions based on experience background, vertical background and universal skills such as conceptual thinking.