Look out - the IP-enabled machines are coming!

Security-naive machines are about to swarm onto your precious networks. Brace yourself.

Participants in this Round Table Discussion featured in Infosecurity Today magazine: John Roese is the chief technical officer and chief information security officer Enterasys Networks (www.enterasys.com). He is responsible for the strategic direction of the company’s technology. He oversees the development of the company’s technology architectures, including Quality of Service, security, management and transport services. He is also responsible for Enterasys Networks’ initiatives in the Internet2/NGI effort and for co-ordinating Enterasys’ intellectual property portfolio. Roese is also an active member of the IEEE, IETF and other industry-standards bodies. He is co-author of the IEEE 802.1X port-based network access control standard.

Nigel Hawthorn is vice president of Blue Coat Systems (www.bluecoat.com), a proxy appliance vendor. He has worked in IT networking and security for over 20 years in technical, product and marketing roles in both the UK and USA. He now drives all marketing activities at Blue Coat Systems outside North America.

Jon Collins was, at the time of this roundtable, research vice president at Quocirca (www.quocirca.com), covering infrastructure architecture and management. (He is currently on sabbatical, writing a book). Rather than focus too closely on individual technologies or functions, his interest is on how they fit together to deliver an information technology and communications (ITC) platform that serves the business efficiently and effectively. He has spent the past 17 years as a programmer, IT manager, business analyst, security expert and IT consultant in the finance, telecommunications and public sectors. For the past six years, he has been an industry analyst for Bloor Research, IDC and Quocirca. His current main interest is the delivery of IT as a service, which he sees as using the best parts of utility and grid computing, application service provision and infrastructure outsourcing.

Matthew Clements has held a number of ICT management roles for nearly 10 years at the John Lewis Partnership (www.johnlewis.com). The John Lewis Partnership is one of the UK’s top 10 retail businesses with 27 John Lewis department stores and 173 Waitrose supermarkets. All 63,000 permanent staff are Partners in the business. The Partnership has enjoyed 75 years of profitable growth.

Diavosh Bassiti is a technical consultant with LuxTech (www.luxtech.com), a London-based reseller of IP telephony and support to 800 users in the private and public sectors.

Brian McKenna is the editor of Infosecurity Today (www.infosecurity-magazine.com)

McKENNA: We know from surveying our readers that they are very focused on the medium term. In other words, what the security threats are going to be over the next two or three years.They are not too concerned about theoretical risks, or vulnerabilities that may or may not prove troublesome. And they know all about fire fighting the day to day problems. But they are worried about how the threat environment will change over the next two to three years. John Roese, could you kick off our discussion by specifying the nature and scale of the IP-enabled machinery problem as you see it? Why should our readers care about this?

ROESE: There has been a massive expansion of security and risk profiling over the last 30 years. We are essentially IP-enabling anything we can get our hands on. We are making bigger networks than ever before, without necessarily changing the number of human beings associated with that network. When you contrast this with the funding and staffing levels for IT within organizations, it is tempting to advise your children not to get involved in the IT business! For those of us already in it, this is what we have to live with.

McKENNA: Okay, but our readers are still mainly preoccupied immediately with malware, and with, say, the imminent threats attendant upon Voice over IP. Why should they pay as much attention as you would like them to pay to the IP-enablement of factory machinery, building management systems, or drinks machines?

ROESE: As an industry, we tend to focus on what has caused us pain most recently. It is only natural to be concentrating on fixing the current problem. The challenge lies in helping people to realize that there are trends that have potentially catastrophic implications if we do not respect them and lend them our close attention.

MCKENNA: And what are those trends?

ROESE: A diversity in communication infrastructure is emerging. Let’s take the retail industry as an example. Which is more important, the cashier or the cash register? Well, I’d say that they are both important. Which carries the most risk? Again, I would say risk exists in both. There is a lot of technology that historically has been successfully contained and controlled outside the realm of IT. But when we suddenly bring it into the security field, let’s call it the "IP world of risk", then we have a dramatic change on our hands.

Just consider the kinds of devices that are becoming IPenabled. I don’t believe there is a particular bounding condition. It’s not a class of device or particular type of entity. Simply put, any device that needs to communicate, or will benefit in some way from improved communication, will inevitably wind up on an IP or Ethernet network. There is no doubt about that.We’ve already seen it happen in every vertical market, in every geographic region, in every business segment and every technology environment.

Moreover, it isn’t an IT decision to do this — it’s a business decision. The logic of achieving efficiency through automation means the next step is to apply an internet technology to things that previously could not communicate. That trend means that we in the IT world must accept that this is an unstoppable force.

There is an almost insatiable desire to IP-enable anything that can benefit from improved communications. Anything in which we have a plurality of a system can benefit from this, anything that we have more than one of! Therefore it is primed to become part of the communicated world. It is inevitable.

MCKENNA: Can you talk a bit more about that inevitability?

ROESE: I’m sure everybody here is familiar with Moore’s Law. Well, there is another one called Metcalfe’s Law, which states that the value of a network is approximately equal to the square of the connected users. So a network with two connected users has a value of four, a network with three has a value of nine, and so on. If this is true, and we believe it is — after all, it explains why we value the internet — then we must be looking forward not only to the appearance of more entities on our networks, but also to an exponential increase in the number of things that show up on them.

MCKENNA: Why does that change anything we have done in the past to deal with security threats up to now?

ROESE:Well, almost every security model we have built to date has featured one component that will not be present in the next wave — the human being. Now, we could argue that this is good or bad. In many cases the human being is the problem. However, the human being allows us to use certain techniques that will not be present in this next wave. This includes, of course, the ability to interact at a human level from a security perspective, but also things like two-factor authentication. How else could you achieve this kind of authentication on a video camera, for example? You can’t easily ask it for the same kind of credentials. You can get them technically over an extended period of time, putting machine certificates and other things on the system, but this facility is not immediately available. So we have a different environment in terms of the basic procedures, even if they are as simple as authentication, which may need to be done differently if we decide they should be on the network. And it’s not just whether they should exist; we need to say what role they play and what services they provide.

MCKENNA: What should IT security managers prepare to do as this shift into the machine-centric world takes place?

ROESE: The first challenge in securing these systems, which are going to be there in large scale, is to adjust principles such as AAA to accommodate the capabilities of these systems. Many are a lot less sophisticated and dynamic than a human being who connects to the Net using a laptop or a desktop PC. The second challenge arises from the fact that these devices originate from a time when security was achieved through obscurity.The historical general security principle for machine security was that they did not appear communicate with anything. Nobody could reach them and nobody knew how they worked, so they were perceived to be secure! Industrial automation and retail systems are good examples of these environments. However, they are no longer obscure. They are being placed on a communications infrastructure and they are starting to use standardized technology to accelerate their migration into an Ethernet and IP world. We are now putting IP stacks on these systems. But where are we getting these stacks from? Well,we are certainly not getting them from an organic source or writing them from scratch to be highly secure. Organizations like Unisys and NCR, when they want to introduce a new set of cash registers, or Honeywell when it builds an industrial automation system, are buying these codes off the shelf.

MCKENNA: Can you be more specific about the security status of these systems today?

ROESE: I have run vulnerability scanners against industrial automation systems, retail systems and video surveillance systems, and the results were truly horrifying.There were listening sockets, and there were open ports. They would fail even the most rudimentary checks that we run against PCs on our networks. Nobody realized they were in such a poor state because they’d never had to deal with them from a security standpoint before.And not only are there lots of them, but they can’t interact and participate in security in the same way the human being. They are inherently unprotected and highly vulnerable — in terms of operating systems and application environments, their state of the art is what those of us here would have considered current in 1990. If we want to protect them,we must first realize that they may not be able to protect themselves.Then the question arises of how you can protect them and where the burden will lie. Here, things fall apart. You can’t use the same techniques on the machine that you applied to protect the person.The reason is that you don’t have the accessibility to load additional software, to configure, tune and harden it.You have to use what you’ve got because there is no keyboard or mouse that comes with that new video surveillance system, and you cannot update the software by adding components that did not come from the manufacturer.

MCKENNA: How can you put a frame around this problem set?

ROESE: Where must the security boundary live? I’d say it starts at the other end of the cable. It’s difficult to have the device protect itself; you cannot put a firewall on it, or load antivirus software, and probably wouldn’t choose to do that anyway because it’s a real-time system. Most importantly, it means you have to virtualize those functional concepts and apply them as close as possible to the point where those devices connect to the network.This flips the existing model of security on its head. Instead of simply protecting what is being sent into the network, and deciding what can enter,we now have to provide services that define what can exit the network and reach that device. This means virtualization of the end system, so that the total system of a machine attached to a secure network can achieve many of the same capabilities as a PC.

MCKENNA: Thanks, John. What do the rest of the panel think?

COLLINS: First of all, the industry has been discussing the security implications of IP-based networks for a long time now. I strongly disagree with any claim that IP-enabled technology represents a greater security threat per se; it’s just a different kind of threat.Adding an IP-enabled security camera to your network does not bring a greater threat of attack — it’s just another detail that you have to mindful of, and which may require a different kind of response. Having said that, it’s certainly true that securing IP-enabled technology presents a huge opportunity. Many technologies aren’t secure enough. Either we can plug them all in to the internet and make life even more confusing, or we can use this as a spur to action. I wouldn’t like to use the term ‘putting all your eggs in one basket’, but we still need to have a single way of doing things, where possible, instead of having a set of experts for each individual problem.

MCKENNA: To what extent is the issue here, from a business management standpoint, to do with the interface between logical and physical security? Or, to put it in a related way, the IT issues and the people issues?

BASSITI: We have spent years building our expertise on this matter. What we’ve found is that it is difficult to master the art of securing people. Managing a network is one thing, but people are completely unpredictable in their behaviour. If you require them to type in a PIN number, they won’t necessarily go with the programme. They take it upon themselves to go about various routines in a particular manner, and they do as they see fit, even if that conflicts with what the IT department would prefer.

People will always be the weakest link when it comes to security. They are that difficult to control.

CLEMENTS: It’s true that things haven’t changed for years. In my experience the retail sector is as proficient at dealing with these threats as it ever has been. It seems that you will always reach a point, or ceiling, at which technology can no longer help you. Self-service checkouts are a good example. There will always be customers who will try to sneak an extra bottle of whisky through without scanning it.

HAWTHORN: There are two points I’d like to make here. The first is about awareness and the second is about acknowledging the limitations of these devices. Firstly, if an organization chooses to put a proxy appliance on the network, the IT team will often stumble on applications or devices that they had been blissfully unaware of. P2P and Instant Messaging are great examples. An acceptable use policy may well have been in force for some time, but it’s typically the users who think they are more intelligent than the IT department or anybody else. They believe they can add a new device or application and it won’t make any difference to network security overall. I believe the value of the PDA and other wireless technologies as business tools is now very widely accepted, and organizations must recognize that people are going to connect these devices to the network whether IT likes it or not.

ROESE: I agree with that, and the scale of change is mind-boggling. I have just come from a customer meeting in Luxembourg, where I had lunch with CIOs from energy, banking and transportation companies, to name a few sectors. I asked them how big are their networks are today, and how big will they be in five years, and in 10 years. The CIO of the largest bank in Portugal told me that he is currently managing 20,000 ports, and he said with absolute certainty that in 10 years it will be at least double that. Naturally he doesn’t want it to happen, but he accepts that it will. And it’s certainly not from hiring additional staff — it’s all down to IP-enablement.

MCKENNA: To what extent is the problem less the technology and its possibilities than the subjective factors — the knowledge, or lack of it, that IT management has of what is really on the network?

COLLINS: Hopefully the risks associated with the IP -based network will inspire people to get their own house in order.The issue of backups continue to arise over and over again. Nobody seems to bother to do them, so in a security breach, or something not even related to infosecurity, organizations stand to lose some or all of their data.The nature of this threat should be provoking much-needed reforms in working practices in other areas.

HAWTHORN: I’m seeing a change in the security mindset at the moment. We provide systems that are based on a blacklisting method. But customers are beginning to ask for a white list of sites. If you don’t have such a list, questions can be asked as to why websites are sending out executables. And that’s before you get into the whole issue of whether a particular executable is good or bad. We should be asking ourselves, for example, why a website that claims to be a foreign exchange site is sending a .cad file or an .exe file. The approach doesn’t have to rely on the user or authentication. These sorts of evaluation methods could be applied to enable the safe management of the IP based network.

ROESE: People talk about Quality of Service, but there is also Quality of Security.We’re trying to control a spectrum of behaviours without having to deal with the minutiae of the individual functions within those behaviours. I’ve had some healthy debates with members of the Jericho Forum, but I disagree with this notion that ‘the perimeter is dead, long live the end system’. It’s not about perimeterization, it’s about re-perimeterization. We have to rethink those protective boundaries. In the machinecentric world,we can’t really protect the devices we will be using in the future.

This article has been provided exclusively to Bankinfosecurity.com by Infosecurity Today Magazine. To sign up to receive Infosecurity Today free of charge, visit www.subscription.co.uk/cc/ist_d.





Around the Network