Safe Computing in the Age of Ubiquitous Connectivity · – copycenters (Kinko’s/T-Mobile,

Robert Gezelter Software Consultant

Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 1

Safe Computing in the Age of Ubiquitous Connectivity

IEEE Computer SocietyNew York ChapterWednesday, April 6, 2005

Robert Gezelter Software Consultant35 – 20 167th Street, Suite 215Flushing, New York 11358 – 1731United States of America

+1 (718) 463 [email protected]://www.rlgsc.com



Canonical Firewall Architecture

Firewall

Internal Network



Information Access Trend

Online data is more accurateStored/Staged data is obsoleteTypes of data– package tracking– technical data (private and public)– news and financial data– government filings– interwoven applications using XML



Internet Access has become expected

Wired BroadbandWi-FiCellular



Internet Access has become expected (cont’d)

Wi-Fi (wireless)– coffee shops (Starbucks/T-Mobile, …)– bookstores (Borders/T-Mobile, …)– copycenters (Kinko’s/T-Mobile, …)– airports– public spaces (NYC’s Bryant Park, …)– phone booths (Verizon)– conferences– 24x7x365 access, at will, wherever one is



Internet Access has become expected (cont’d)

Cellular Data– Broadband-class performance– Verizon (deploying EV-DO)– Sprint (1xEV-DV)

+1–2 years– reported in USA Today, 25 March 2004,

page 3B



However, inside enterprises –

Outside, access is (or is becoming) ubiquitiousInside, access is increasing in complexityPast model was “gatehouse”: hard outside;inside was/is fairly softOne size fits all, no texture or subtletyLevels of Trust (payroll, health, proprietary)Ease of breach/theft (e.g., script kiddies)Rogue Access Point deployments



The Real Issue – TRUST

the word TRUST means different things indifferent contextsthe word TRUST means different things todifferent communitiesIn human relationships, TRUST is often usedin an absolute senseIn legal contexts, TRUST is a far differentconceptUnsurprisingly, people can often agree on wording easier than the concept



All of engineering & structural design is about safety factors.The art of ensuring safety in the face of error, uncertainty, and imperfection.



In God we trust – All others we polygraph. – Tom Clancy



Technical TRUST – What does it mean?

Liability exposureNeed to knowThings may not work as plannedWhen building houses, carpenters:

– toe-nail– cross-brace– hurricane straps



The Modern Corporation

CEO

Staff

CIO

Staff

CFO

Staff

CMO

Staff

CPO

Staff

…

Access is NOT related to rankAccess is related to clade, project



Data and Liability –

R & DDeal makingClient confidentiality/privacyFor employee’s own protection



Goal – Seamless Technical TRUST –

If you don’t breach the barrier, it isn’t reallythere. Is it?Insufficent walls create catastrophic failures – the “Titanic/Comet Syndrome”



The Age of Innocence

Machines were rareInherently restricted accessFew players, all known to each other



Original Internet – Total TRUST

No safeguardsNo integrity checksNo compartmentalizationTotal Net Crash – IMP caused (SEN, 1/1981)Trusting server processes (e.g., sendmail)



The Age of Ubiquitous Computing/Connectivity

Huge number of machinesEasy access to essentially unrestricted bandwith/connectivityWorldwide connectivity – essentially anonymous“On the Internet, nobody knows that you are a ‘dog’”



Traditional Simplistic Firewall Architecture

Firewall

Internal Network



Analyze the Threats

Internal information control (“Need to know”)Curiosity (e.g., celebrity tax returns)Insider fraud“Loose lips sink ships”CriminalVisitor-borne contagion



Internal Access Obligations/Restraints

Internal Security – Pricing, Internal dataNational/Homeland SecurityRegulatory – SEC, FDIC, FRBLegal – HIPAA, other protectedLess monolithic teams



Traditional Simplistic Firewall Architecture with DMZ

OuterFirewall

InnerFirewall

HostComputer

A

HostComputer

B

HostComputer

C

WWWServer

FTPServer



“Inside” Community is more Diverse

EmployeesContractorsVendorsSalesmenCustomersColleaguesRegulatorsInterviewees



Technology-based Security Concerns are similar for wired, Wi-Fi, and cellular

Are wall sockets really secure?Passive attack – sniffing/eavesdroppingTrojan Horse (software/hardware)The “Remote Control” syndrome



Security/Access Concerns

authenticationprivacy/anti-eavesdroppingbandwidth allocationspringboard elimination



Acme Financial Corporation

Merchant Bank

Mergers &Acquisitions

Personnel Department

Research & Development



Security Domains

Security by architecture/structureLimit and control trust and delegationMonolithic domains cannot factor the problem spaceSibling and child security domainsDMZsCul-de-sacspseudo-public access to dial-tone



DMZs

not just between Internet and intraneteach organization contains many relativeoutsidersfirewalls are internal security partitionsVPNs even within the organizationX.509 Certificates/HTTPS for intranetswhen sensitive business/personalinformation is present



Nested and Sibling Security Domains

OuterFirewall

Inner Firewall(Multiple LAN Adapters)

Internal Network

WWWServer

FTPServer

Omega DMZ Gamma DMZ

OmegaServer

GammaServer



VPNs Within the Corporation

CorporateFirewall

DepartmentA2

Firewall

DepartmentA1

Firewall

UserA

UserB

UserC

UserD

Encrypted Tunnel



Cul-de-sacs provide Dial-Tone

CorporateFirewall

VPN AccessServer

DepartmentFirewall

UserA

UserB

WirelessAccessPoint

WirelessAccessPoint



Cul-de-sacs

WAPs are only digital dial-tonegetting out of a cul-de-sac requires VPNextensive use of proxy serversassumption of compromised network medialocation of WAP relative to gatewayWPA and WPA2 only address the “last meter”problem



Questions?

Robert Gezelter Software Consultant35 – 20 167th Street, Suite 215Flushing, New York 11358 – 1731United States of America

+1 (718) 463 [email protected]://www.rlgsc.com

Session Notes & Materials: http://www.rlgsc.com/ieee/MetroNewYork/2005-04/index.html

Documents

Safe Computing in the Age of Ubiquitous Connectivity · – copycenters (Kinko’s/T-Mobile,