Monday, November 24, 2008

Gated communities - a good idea for data

Humans started by locking their homes (username and password). When this wasn't enough, some put bars on their doors and window, or used multiple locks (strong authentication and multi-factor authentication). As criminals evolved, alarm systems were developed (IDS). Now we see gated communities. We need more gated communities. Not for people--for data. I'm talking about networks where all the traffic flows are engineered and only what is expected is allowed to cross the network.

What does a gated community look like? For one, every router is configured with ACLs and a default deny posture. Only traffic that is expected will be allowed to pass. Let Windows workstations talk to domain controlers, but don't let them talk to other workstations. If a web server has to talk to a database server, let it, but don't let anything else talk to the database server. Every traffic flow should be engineered down to the host/port pair level. General web browsing can occur through a proxy. Which would you rather do, defend against malware on 5,000 desktops, or a single proxy server.

Sofware vendors could provide a list of the traffic flows that need to be allowed. Once this catches on I can see software and hardware vendors coming up with an API of sorts where the software install process will generate a file that an administrator with the proper credentials can import into communication equipement to allow the necessary traffic flows.

To be sure there are a lot of nuts to crack to make this work and be accepted, but I believe that this is where we are going to have to go to address the current threat environment. Will it cure all problems, not by a long shot, but I know I would sleep better if I knew that my desktops could only communicate with three servers, and only on specific ports.

I'd like to hear what you think. I am especially interested in hearing why you think this wouldn't work; those are the questions and comments that will drive us to find out how this can work.

No comments: