ro

un

d

ta

bl

e34

Info

security To

day

January/February 2006

MccKKEENNNNAA:: We know from survey-ing our readers that they are very

focused on the medium term. In otherwords, what the security threats are go-ing to be over the next two or threeyears.They are not too concernedabout theoretical risks, or vulnerabili-ties that may or may not prove trouble-some.And they know all about firefighting the day to day problems. Butthey are worried about how the threatenvironment will change over the nexttwo to three years. John Roese, couldyou kick off our discussion by specify-ing the nature and scale of the IP-en-abled machinery problem as you see it?Why should our readers care aboutthis?

RROOEESSEE:: There has been a massive ex-pansion of security and risk profilingover the last 30 years.We are essential-ly IP-enabling anything we can get ourhands on.We are making bigger net-works than ever before, without neces-sarily changing the number of humanbeings associated with that network.When you contrast this with the fund-ing and staffing levels for IT within or-ganizations, it is tempting to adviseyour children not to get involved in theIT business! For those of us already init, this is what we have to live with.

MMccKKEENNNNAA:: Okay, but our readersare still mainly preoccupied immedi-ately with malware, and with, say, theimminent threats attendant uponVoice over IP.Why should they pay as

much attention as you would likethem to pay to the IP-enablement offactory machinery, building manage-ment systems, or drinks machines?

RROOEESSEE:: As an industry, we tend tofocus on what has caused us painmost recently. It is only natural to beconcentrating on fixing the currentproblem.The challenge lies in helpingpeople to realize that there are trendsthat have potentially catastrophic im-plications if we do not respect themand lend them our close attention.

MMCCKKEENNNNAA:: And what are thosetrends?

RROOEESSEE:: A diversity in communica-tion infrastructure is emerging. Let’stake the retail industry as an example.Which is more important, the cashieror the cash register? Well, I’d say thatthey are both important.Which car-ries the most risk? Again, I would sayrisk exists in both.

There is a lot of technology that his-torically has been successfully con-tained and controlled outside the realmof IT. But when we suddenly bring itinto the security field, let’s call it the ‘IPworld of risk’, then we have a dramaticchange on our hands.

Just consider the kinds of devices that are becoming IP-enabled. I don’t believe there

is a particular bounding condition. It’snot a class of device or particulartype of entity. Simply put, any devicethat needs to communicate, or willbenefit in some way from improvedcommunication, will inevitably windup on an IP or Ethernet network.There is no doubt about that.We’vealready seen it happen in every verti-cal market, in every geographic re-gion, in every business segment andevery technology environment.Moreover, it isn’t an IT decision to dothis — it’s a business decision.

The logic of achieving efficiencythrough automation means the nextstep is to apply an internet technologyto things that previously could notcommunicate.That trend means thatwe in the IT world must accept thatthis is anunstop-pableforce.

Security-naïve machines are about to swarm onto your precious net-works. Brace yourself.

Look out — theIP-enabled machines are coming!

Brian McKenna

b.mckenna@elsevier.com

John Roese, CTO andCISO, Enterasys Networks

ro

un

d

ta

bl

e35

Info

security To

day

January/February 2006

There is an almost insatiable desire toIP-enable anything that can benefitfrom improved communications.Anything in which we have a pluralityof a system can benefit from this, any-thing that we have more than one of!Therefore it is primed to become partof the communicated world. ’s in-evitable.

MMCCKKEENNNNAA:: Can you talk a bit moreabout that inevitability?

RROOEESSEE:: I’m sure everybody here isfamiliar with Moore’s Law.Well, thereis another one called Metcalfe’s Law,which states that the value of a net-work is approximately equal to thesquare of the connected users. So anetwork with two connected usershas a value of four, a network withthree has a value of nine, and so on.

If this is true, and we believe it is—after all, it explains why we value theinternet—then we must be looking for-ward not only to the appearance ofmore entities on our networks, but alsoto an exponential increase in the num-ber of things that show up on them.

MMCCKKEENNNNAA:: Why does that changeanything we have done in the past todeal with security threats up to now?

RROOEESSEE:: Well, almost every securitymodel we have built to date has fea-tured one component that will not bepresent in the next wave — the hu-man being.

Now, we could argue that this isgood or bad. In many cases the hu-man being is the problem. However,

the human being allows us to use cer-tain techniques that will not be pres-ent in this next wave.This includes, ofcourse, the ability to interact at a hu-man level from a security perspec-tive, but also things like two-factor au-thentication.

How else could you achieve thiskind of authentication on a video cam-era, for example? You can’t easily ask itfor the same kind of credentials.Youcan get them technically over an ex-tended period of time, putting machinecertificates and other things on the sys-tem, but this facility is not immediatelyavailable. So we have a different envi-ronment in terms of the basic proce-dures, even if they are as simple as au-thentication, which may need to bedone differently if we decide theyshould be on the network.And it’s notjust whether they should exist; weneed to say what role they play andwhat services they provide.

MMCCKKEENNNNAA:: What should IT securi-ty managers prepare to do as thisshift into the machine-centric worldtakes place?

Participants

John Roese is the chief technical officer and chief information security officerEnterasys Networks (www.enterasys.com). He is responsible for the strategic directionof the company’s technology. He oversees the development of the company’s technol-ogy architectures, including Quality of Service, security, management and transportservices. He is also responsible for Enterasys Networks’ initiatives in the Internet2/NGIeffort and for co-ordinating Enterasys’ intellectual property portfolio. Roese is also an active member of the IEEE, IETF and other industry-standards bodies.He is co-author of the IEEE 802.1X port-based network access control standard.

Nigel Hawthorn is vice president of Blue Coat Systems (www.bluecoat.com), aproxy appliance vendor. He has worked in IT networking and security for over 20 yearsin technical, product and marketing roles in both the UK and USA. He now drives allmarketing activities at Blue Coat Systems outside North America.

Jon Collins was, at the time of this roundtable, research vice president at Quocirca(www.quocirca.com), covering infrastructure architecture and management. (He is cur-rently on sabbatical, writing a book). Rather than focus too closely on individual tech-nologies or functions, his interest is on how they fit together to deliver an informationtechnology and communications (ITC) platform that serves the business efficiently andeffectively. He has spent the past 17 years as a programmer, IT manager, business ana-lyst, security expert and IT consultant in the finance, telecommunications and publicsectors. For the past six years, he has been an industry analyst for Bloor Research, IDCand Quocirca. His current main interest is the delivery of IT as a service, which he seesas using the best parts of utility and grid computing, application service provision andinfrastructure outsourcing.

Matthew Clements has held a number of ICT management roles for nearly 10 yearsat the John Lewis Partnership (www.johnlewis.com). The John Lewis Partnership is oneof the UK’s top 10 retail businesses with 27 John Lewis department stores and 173Waitrose supermarkets. All 63,000 permanent staff are Partners in the business. ThePartnership has enjoyed 75 years of profitable growth.

Diavosh Bassiti is a technical consultant with LuxTech (www.luxtech.com), aLondon-based reseller of IP telephony and support to 800 users in the private andpublic sectors.

John Collins, analystBrian McKenna, Infosecurity Today

ro

un

d

ta

bl

e36

Info

security To

day

January/February 2006

RROOEESSEE:: The first challenge in secur-ing these systems, which are going tobe there in large scale, is to adjustprinciples such as AAA to accommo-date the capabilities of these systems.Many are a lot less sophisticated anddynamic than a human being whoconnects to the Net using a laptop ora desktop PC.

The second challenge arises from thefact that these devices originate from atime when security was achievedthrough obscurity.The historical gener-al security principle for machine secu-rity was that they did not appear com-municate with anything. Nobody couldreach them and nobody knew howthey worked, so they were perceivedto be secure! Industrial automation andretail systems are good examples ofthese environments.

However, they are no longer ob-scure.They are being placed on acommunications infrastructure andthey are starting to use standardizedtechnology to accelerate their migra-tion into an Ethernet and IP world.We are now putting IP stacks onthese systems. But where are we get-ting these stacks from?

Well, we are certainly not gettingthem from an organic source or writ-ing them from scratch to be highly se-cure. Organizations like Unisys andNCR, when they want to introduce anew set of cash registers, orHoneywell when it builds an industri-al automation system, are buyingthese codes off the shelf.

MMCCKKEENNNNAA:: Can you be more spe-cific about the security status of thesesystems today?

RROOEESSEE:: I have run vulnerability scan-ners against industrial automation sys-tems, retail systems and video surveil-lance systems, and the results weretruly horrifying.There were listening

sockets, and there were open ports.They would fail even the most rudi-mentary checks that we run againstPCs on our networks.

Nobody realized they were in sucha poor state because they’d never hadto deal with them from a securitystandpoint before.And not only arethere lots of them, but they can’t in-teract and participate in security inthe same way the human being.Theyare inherently unprotected and highlyvulnerable— in terms of operatingsystems and application environ-ments, their state of the art is whatthose of us here would have consid-ered current in 1990.

If we want to protect them, wemust first realize that they may not beable to protect themselves.Then thequestion arises of how you can pro-tect them and where the burden willlie. Here, things fall apart.You can’tuse the same techniques on the ma-chine that you applied to protect theperson.The reason is that you don’thave the accessibility to load addition-al software, to configure, tune andharden it.You have to use whatyou’ve got because there is no key-board or mouse that comes with thatnew video surveillance system, andyou cannot update the software byadding components that did notcome from the manufacturer.

MMCCKKEENNNNAA:: How can you put aframe around this problem set?

RROOEESSEE:: Where must the securityboundary live? I’d say it starts at theother end of the cable. It’s difficult tohave the device protect itself; youcannot put a firewall on it, or load an-tivirus software, and probably would-n’t choose to do that anyway becauseit’s a real-time system.

Most importantly, it means you haveto virtualize those functional concepts

and apply them as close as possible tothe point where those devices connectto the network.This flips the existingmodel of security on its head. Insteadof simply protecting what is being sentinto the network, and deciding whatcan enter, we now have to provideservices that define what can exit thenetwork and reach that device.

This means virtualization of the endsystem, so that the total system of amachine attached to a secure net-work can achieve many of the samecapabilities as a PC.

MMCCKKEENNNNAA:: Thanks, John.What dothe rest of the panel think?

CCOOLLLLIINNSS:: First of all, the industry hasbeen discussing the security implica-tions of IP-based networks for a longtime now. I strongly disagree with anyclaim that IP-enabled technology repre-sents a greater security threat per se; it’sjust a different kind of threat.Adding anIP-enabled security camera to your net-work does not bring a greater threat ofattack — it’s just another detail thatyou have to mindful of, and which mayrequire a different kind of response.

Having said that, it’s certainly truethat securing IP-enabled technologypresents a huge opportunity. Manytechnologies aren’t secure enough.Either we can plug them all in to theinternet and make life even moreconfusing, or we can use this as aspur to action. I wouldn’t like to usethe term ‘putting all your eggs in onebasket’, but we still need to have asingle way of doing things, wherepossible, instead of having a set of ex-perts for each individual problem.

MMCCKKEENNNNAA:: To what extent is theissue here, from a business manage-ment standpoint, to do with the inter-face between logical and physical se-curity? Or, to put it in a related way,the IT issues and the people issues?

Diavosh Bassiti, LuxTechMatthew Clements, from John Lewis Nigel Hawthorn, VP, BlueCoat

ro

un

d

ta

bl

e37

Info

security To

day

January/February 2006

BBAASSSSIITTII:: We have spent years build-ing our expertise on this matter.Whatwe’ve found is that it is difficult tomaster the art of securing people.Managing a network is one thing, butpeople are completely unpredictablein their behaviour. If you requirethem to type in a PIN number, theywon’t necessarily go with the pro-gramme.They take it upon them-selves to go about various routines ina particular manner, and they do asthey see fit, even if that conflicts withwhat the IT department would prefer.People will always be the weakestlink when it comes to security.Theyare that difficult to control.

CCLLEEMMEENNTTSS:: It’s true that thingshaven’t changed for years. In my ex-perience the retail sector is as profi-cient at dealing with these threats asit ever has been. It seems that youwill always reach a point, or ceiling, atwhich technology can no longer helpyou. Self-service checkouts are a goodexample.There will always be cus-tomers who will try to sneak an extrabottle of whisky through withoutscanning it.

HHAAWWTTHHOORRNN:: There are two pointsI’d like to make here.The first is aboutawareness and the second is about ac-knowledging the limitations of thesedevices. Firstly, if an organizationchooses to put a proxy appliance onthe network, the IT team will oftenstumble on applications or devicesthat they had been blissfully unaware

of. P2P and Instant Messaging aregreat examples.

An acceptable use policy may wellhave been in force for some time, butit’s typically the users who think theyare more intelligent than the IT de-partment or anybody else.They be-lieve they can add a new device orapplication and it won’t make any dif-ference to network security overall. Ibelieve the value of the PDA and oth-er wireless technologies as businesstools is now very widely accepted,and organizations must recognize thatpeople are going to connect these de-vices to the network whether IT likesit or not.

RROOEESSEE:: I agree with that, and thescale of change is mind-boggling. Ihave just come from a customer meet-ing in Luxembourg, where I had lunchwith CIOs from energy, banking andtransportation companies, to name afew sectors. I asked them how big aretheir networks are today, and how bigwill they be in five years, and in 10years.

The CIO of the largest bank inPortugal told me that he is currentlymanaging 20,000 ports, and he saidwith absolute certainty that in 10years it will be at least double that.Naturally he doesn’t want it to happen, but he accepts that it will.And it’s certainly not from hiring additional staff — it’s all down to IP-enablement.

MMCCKKEENNNNAA:: To what extent is theproblem less the technology and itspossibilities than the subjective fac-tors — the knowledge, or lack of it,that IT management has of what is re-ally on the network?

CCOOLLLLIINNSS:: Hopefully the risks asso-ciated with the IP -based networkwill inspire people to get their ownhouse in order.The issue of backupscontinue to arise over and over again.Nobody seems to bother to do them,so in a security breach, or somethingnot even related to infosecurity, or-ganizations stand to lose some or allof their data.The nature of this threatshould be provoking much-needed re-forms in working practices in otherareas.

HHAAWWTTHHOORRNN:: I’m seeing a changein the security mindset at the mo-ment.We provide systems that arebased on a blacklisting method. Butcustomers are beginning to ask for awhite list of sites. If you don’t havesuch a list, questions can be asked asto why websites are sending out exe-cutables.

And that’s before you get into thewhole issue of whether a particularexecutable is good or bad.We shouldbe asking ourselves, for example, whya website that claims to be a foreignexchange site is sending a .cad file oran .exe file.

The approach doesn’t have to relyon the user or authentication.Thesesorts of evaluation methods could beapplied to enable the safe manage-ment of the IP based network.

RROOEESSEE:: People talk about Quality ofService, but there is also Quality ofSecurity.We’re trying to control a spec-trum of behaviours without having todeal with the minutiae of the individ-ual functions within those behaviours.

I’ve had some healthy debateswith members of the Jericho Forum,but I disagree with this notion that‘the perimeter is dead, long live theend system’. It’s not about perime-terization, it’s about re-perimeteriza-tion.We have to rethink those pro-tective boundaries. In the machine-centric world, we can’t really pro-tect the devices we will be using inthe future. •John Roese: “we are IP-enabling anything we can get our hands on”