Tuesday, June 24, 2008

Network Security Is Not Dead

There have been a few comments out on the blogosphere about NETSEC being dead. NETSEC is not dead, its not going to be dead for a LONG time if ever. If something is dead, I can unplug it, remove it from the rack, and never think about it again.

To me NETSEC is (short list) router ACLs, firewall rules, VLANs, IPSEC, & domain policy. I know thats not everything, but it should be enough to illustrate my point. We could also argue domain policy but I think that its a valuable and necessary piece of security in any MS network.

Now I agree that NETSEC as a primary defense and entry point is dead (there probably won't be another DCOM), I agree that client side attacks completely bypass firewall rules (initially--the exploitation piece anyway, the shell is another matter), I agree that the endpoint is now the new border, and I agree that Application Hacking (webapp, user, browser, etc) is where security IS/is heading.

What I don't agree with is that I don't need my firewall rules and router ACLs anymore. Some examples...

-without NETSEC do we still have DMZs?
-with no DMZs and no way to control who can talk to who on your network with either FW rules or router ACLs, what is going to stop the attacker once they exploit that web app and either get a shell or credentials to log in with?
-How do I stop the attacker once he has that shell with client side privileges? Do I just let them have free reign?
-How do I stop that outbound connection that alot of times can be caught with the right type of proxies (bluecoat and similar "appliances"). Is my layer7 FW going to catch that?

All of these people that say that network hacking is dead obviously don't have to do anything else in their pentests other than exploiting web applications. Unless you got really friggin lucky and that web application housed the data you were looking for, you are back to the old school network game of moving around the network, setting up shop on hosts in the LAN, doing privilege escalation and with no rules or devices in place what is going to stop the attacker from exfiltrating that data out without being seen? Where are your logs if you do catch them with no NETSEC devices?

thoughts? I'm wrong alot, so if I'm wrong do let me know.


dre said...

I still do network security, but I try not to tell anyone about it. Keep it on the down-low, ok?

I really like how you brought the network security down to only the basics:

1) Domain segmentation. Hell yes. Having a separate AD forest for servers and workstations is very important (the only servers in the workstation forest should be the ones that service the workstations, not the ones that service other "services" that are needed by the domain). Using separate AD forests for totally separate networks that fall under the auspices of SOX or PCI is also very smart -- if only to reduce the scope of these network alone

2) Router ACLs. Yes, these are great wins, especially if they are reflexive and work like stateful firewall rules (then what do you need a firewall for?). I have worked in many environments where router ACLs were used instead of firewalls and loved it

3) IPSec. I'm iffy on this subject. IPSec, SSL VPN, and others all have different kinds of problems. I guess IPSec can be useful, but I'd rather use OpenVPN for my personal use, and even in small corporate environments. I guess confidentiality and authentication are important issues to address -- and IPSec and/or SSL VPN does meet them. But it's very smart to make sure you're using the right products with the right configurations. It can be very tricky to get one or the other right

4) VLANs. Wireless VLANs, pVLAN's, VACL's -- oh man, I love LAN security... especially Cisco DAI and all of the various little configuration knobs. This stuff is totally for geeks, but it would be so much better with PKI and proper SSL/TLS. Let me blow both #3 and #4 out of the water by saying that I would prefer that everything be wrapped in SSL/TLS and then we don't need this stuff. Of course, SSL/TLS can have issues, but I think it's easier and doesn't require an uber-geekgod-expert in VPN or LAN security to implement correctly

5) Firewalls, IPS, IDS, UTM, et al. This is where I start to say, "oh come on now, do you really need to spend $2M on this junk?". It's so 1999. Come on -- Palo Alto Networks, puh-lease. "Let's show the world how much firewalls suck -- buy our firewall!". I lost track of firewall technology before Netscreen came on the scene. This stuff was incredibly useful between 1996 and 2001, and then it stopped being as useful as anyone thought it was. SYN attacks, Smurf, TCP/UDP amplification attacks, Teardrop, Ping-of-death, etc -- all of these attacks were software problems just like web application software weaknesses today. However, all of the old DoS/DDoS attacks worked against weaknesses in network stacks (which is software, by the way), so it made sense to block them at the network layer. Around 1998, SQL injection came on the scene and started to change things, and by 2001 XSS popped around to make phishing scams twice-as-nice for adversaries. Once these techniques caught on, brute-force authentication and zero-day server-side exploits with IDS evasion became boring in comparison. Oh, by the way, never bring up WAF's around me if you can help it. The rants will be tens-times-as-long

Also, Bluecoat seems to be a waste of money in many scenarios, although I do like the idea of proxies being used for these purposes even if I know plenty of ways around them (SSH through SSL with SOCKS? UDP/TCP hole punching, pivot bouncing, etc). Maybe a better choice would be Squid.

Oh dood, and while IDS does have its uses even today (although maybe not quite as cool as it once was), I totally dig being able to drop some tcpdump or Ethereal action with either taps or mirror ports (i.e. {ER|R}SPAN). It's still kind of 2003 stuff though...

CG said...

"It's still kind of 2003 stuff though..."

isnt retro always in style?

don't worry I didnt include WAF for a reason, I know you TS/SCI boys got that stuff on lockdown.

Morgan Storey said...

I love how people come out with this junk, firewalls are Dead, we should all have IDS...
NAT is dead, we are all going ipv6... Security in layers, one of those layers at the moment and for the foreseeable future is netsec (I can't see this changing unless there is a radical change in the way the internet works), DMZ's, Firewalls, IDS, IPS, Nat rules (even these are a form of security), VPN's and other tunnels.
Me I take everything I read with a pound of salt, but I agree with what you have said so far Andre.