1 / 15

The new state of the network: how security issues are reshaping our world

The new state of the network: how security issues are reshaping our world. Terry Gray UW Computing & Communications Quarterly Computing Support Meeting 28 October 2003. security in the post-Internet era : the needs of the many vs. the needs of the few. 2003: security ”annus horribilis”.

russelltimothy
Download Presentation

The new state of the network: how security issues are reshaping our world

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The new state of the network: how security issues are reshaping our world Terry Gray UW Computing & Communications Quarterly Computing Support Meeting 28 October 2003

  2. security in the post-Internet era:the needs of the manyvs. the needs of the few

  3. 2003: security ”annus horribilis” • Slammer • Blaster • Sobig.F • increasing spyware threat • attackers discover encryption • hints of more “advanced” attacks • and let’s not even talk about spam…

  4. 2003: security-related trends • more critical application roll-outs • more mobile devices • growing wireless use • VoIP over 802.11 pilots • faster networks • new network designs (e.g. lambda) • class action lawsuits • RIAA subpoenas • SEC filings on security?

  5. Security Trouble Ticket Trend

  6. impact • end of an era… say farewell to • the open Internet • autonomous unmanaged PCs • full digital convergence? • say hello to • one-size-fits-all (OSFA) solutions • conflict... everyone wants security and • max availability, speed, autonomy, flexibility • min hassle, cost • the needs of the many trump the needs of the few (but at what cost?)

  7. consequences • more closed nets (bug or feature?) • more VPNs (bug or feature?) • more tunneling -“firewall friendly” apps • more encryption (thanks to RIAA) • more collateral harm -attack + remedy • worse MTTR (complexity, broken tools) • constrained innovation (e.g. p2p voip) • cost shifted from “guilty” to “innocent” • pressure to fix problem at border • pressure for private nets

  8. consequences (2) • mindset: “computer security” failed, so “network security” must be the answer • pressure to make network topology match organization boundaries • ”network of networks” evolution • 1982: minimum impedance between nets • 2003: maximum impedance between nets • loss of Network Utility Model • “Heisen/stein” networking... • uncertain and relativistic connectivity

  9. metamorphosis: Internet paradigm • 1969: “one network” • 1983: “network of networks” • 199x: balkanization begins • 2003: “heat death” begins • 2004: paradigm lost?

  10. how we lost it: inevitable trainwreck? • fundamental contradiction • networking is about connectivity • security is about isolation • vendors sell what users want, not need • conflicting roles • the networking guy • the security guy • the sys admin • oh yeah… and the user • insecurity = liability • liability trumps innovation • liability trumps operator concerns • liability trumps user concerns

  11. observations • system administrator view • some prefer local control/responsibility • some prefer central/big-perimeter defense • some underestimate cost impact on others • user view • want “unlisted numbers” • want “enough openness” to run apps • network operator view • frustration over loss of diagnosability • despair over loss of utility vision • dismay over increasing mgt cost, complexity

  12. observations (2) • feedback loop: • closed nets encourage constrained apps • constrained apps encourage closed nets • tunneling, encryption trends undermine perimeter defense effectiveness • isolation strategies are limited by how many devices you want on your desk. • roads not taken: • What if windows XP had shipped with its integral firewall turned on? • What if UW had mandated and funded positive desktop control?

  13. gray’s defense-in-depth conjecture • given N layers of topological device defense… • MTTE (exploit) = k * N**2 • MTTI (innovation) = k * N**2 • MTTR (repair) = k * N**2 • NB: there is also “vertical” D-I-D for info/session protection, e.g. IPSEC + SSL… but those equations would look different.

  14. never say die • goal: simple core, local policy choice • how to avoid OSFA closed-net future? • design net for local open or closed choice • pervasive IPSEC • asymmetric connectivity (“unlisted numbers”) • combine with tools for “rapid response • won’t reverse trend toward closed nets, • but may avoid undesirable cost shifts • alternative: only closed nets, policy wars

  15. questions? comments?

More Related