Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 1
Safe Computing in the Age of Ubiquitous Connectivity
IEEE Computer SocietyNew York ChapterWednesday, April 6, 2005
Robert Gezelter Software Consultant35 – 20 167th Street, Suite 215Flushing, New York 11358 – 1731United States of America
+1 (718) 463 [email protected]://www.rlgsc.com
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 2
Canonical Firewall Architecture
Firewall
Internal Network
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 3
Information Access Trend
Online data is more accurateStored/Staged data is obsoleteTypes of data– package tracking– technical data (private and public)– news and financial data– government filings– interwoven applications using XML
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 4
Internet Access has become expected
Wired BroadbandWi-FiCellular
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 5
Internet Access has become expected (cont’d)
Wi-Fi (wireless)– coffee shops (Starbucks/T-Mobile, …)– bookstores (Borders/T-Mobile, …)– copycenters (Kinko’s/T-Mobile, …)– airports– public spaces (NYC’s Bryant Park, …)– phone booths (Verizon)– conferences– 24x7x365 access, at will, wherever one is
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 6
Internet Access has become expected (cont’d)
Cellular Data– Broadband-class performance– Verizon (deploying EV-DO)– Sprint (1xEV-DV)
+1–2 years– reported in USA Today, 25 March 2004,
page 3B
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 7
However, inside enterprises –
Outside, access is (or is becoming) ubiquitiousInside, access is increasing in complexityPast model was “gatehouse”: hard outside;inside was/is fairly softOne size fits all, no texture or subtletyLevels of Trust (payroll, health, proprietary)Ease of breach/theft (e.g., script kiddies)Rogue Access Point deployments
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 8
The Real Issue – TRUST
the word TRUST means different things indifferent contextsthe word TRUST means different things todifferent communitiesIn human relationships, TRUST is often usedin an absolute senseIn legal contexts, TRUST is a far differentconceptUnsurprisingly, people can often agree on wording easier than the concept
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 9
All of engineering & structural design is about safety factors.The art of ensuring safety in the face of error, uncertainty, and imperfection.
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 10
In God we trust – All others we polygraph. – Tom Clancy
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 11
Technical TRUST – What does it mean?
Liability exposureNeed to knowThings may not work as plannedWhen building houses, carpenters:
– toe-nail– cross-brace– hurricane straps
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 12
The Modern Corporation
CEO
Staff
CIO
Staff
CFO
Staff
CMO
Staff
CPO
Staff
…
Access is NOT related to rankAccess is related to clade, project
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 13
Data and Liability –
R & DDeal makingClient confidentiality/privacyFor employee’s own protection
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 14
Goal – Seamless Technical TRUST –
If you don’t breach the barrier, it isn’t reallythere. Is it?Insufficent walls create catastrophic failures – the “Titanic/Comet Syndrome”
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 15
The Age of Innocence
Machines were rareInherently restricted accessFew players, all known to each other
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 16
Original Internet – Total TRUST
No safeguardsNo integrity checksNo compartmentalizationTotal Net Crash – IMP caused (SEN, 1/1981)Trusting server processes (e.g., sendmail)
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 17
The Age of Ubiquitous Computing/Connectivity
Huge number of machinesEasy access to essentially unrestricted bandwith/connectivityWorldwide connectivity – essentially anonymous“On the Internet, nobody knows that you are a ‘dog’”
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 18
Traditional Simplistic Firewall Architecture
Firewall
Internal Network
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 19
Analyze the Threats
Internal information control (“Need to know”)Curiosity (e.g., celebrity tax returns)Insider fraud“Loose lips sink ships”CriminalVisitor-borne contagion
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 20
Internal Access Obligations/Restraints
Internal Security – Pricing, Internal dataNational/Homeland SecurityRegulatory – SEC, FDIC, FRBLegal – HIPAA, other protectedLess monolithic teams
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 21
Traditional Simplistic Firewall Architecture with DMZ
OuterFirewall
InnerFirewall
HostComputer
A
HostComputer
B
HostComputer
C
WWWServer
FTPServer
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 22
“Inside” Community is more Diverse
EmployeesContractorsVendorsSalesmenCustomersColleaguesRegulatorsInterviewees
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 23
Technology-based Security Concerns are similar for wired, Wi-Fi, and cellular
Are wall sockets really secure?Passive attack – sniffing/eavesdroppingTrojan Horse (software/hardware)The “Remote Control” syndrome
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 24
Security/Access Concerns
authenticationprivacy/anti-eavesdroppingbandwidth allocationspringboard elimination
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 25
Acme Financial Corporation
Merchant Bank
Mergers &Acquisitions
Personnel Department
Research & Development
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 26
Security Domains
Security by architecture/structureLimit and control trust and delegationMonolithic domains cannot factor the problem spaceSibling and child security domainsDMZsCul-de-sacspseudo-public access to dial-tone
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 27
DMZs
not just between Internet and intraneteach organization contains many relativeoutsidersfirewalls are internal security partitionsVPNs even within the organizationX.509 Certificates/HTTPS for intranetswhen sensitive business/personalinformation is present
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 28
Nested and Sibling Security Domains
OuterFirewall
Inner Firewall(Multiple LAN Adapters)
Internal Network
WWWServer
FTPServer
Omega DMZ Gamma DMZ
OmegaServer
GammaServer
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 29
VPNs Within the Corporation
CorporateFirewall
DepartmentA2
Firewall
DepartmentA1
Firewall
UserA
UserB
UserC
UserD
Encrypted Tunnel
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 30
Cul-de-sacs provide Dial-Tone
CorporateFirewall
VPN AccessServer
DepartmentFirewall
UserA
UserB
WirelessAccessPoint
WirelessAccessPoint
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 31
Cul-de-sacs
WAPs are only digital dial-tonegetting out of a cul-de-sac requires VPNextensive use of proxy serversassumption of compromised network medialocation of WAP relative to gatewayWPA and WPA2 only address the “last meter”problem
Robert Gezelter Software Consultant
Safe Computing in the Age of Ubiquitous Connectivity© 2003-2005, Robert Gezelter Software Consultant, All Rights ReservedSlide 32
Questions?
Robert Gezelter Software Consultant35 – 20 167th Street, Suite 215Flushing, New York 11358 – 1731United States of America
+1 (718) 463 [email protected]://www.rlgsc.com
Session Notes & Materials: http://www.rlgsc.com/ieee/MetroNewYork/2005-04/index.html