The Seven Myths of Network Security

By John Loiacono

Success, I once heard, lies in knowing the difference between what you should care about and what you can safely ignore.

The problem for network security managers, however, is that the difference isn't always so clear. Counterpane, a Silicon Valley company that monitors client networks for threats to enterprise data, investigated approximately 391,000 discrete "events" from all of their customer logs. Of these, only 20,000, or 5 percent, required a "next step" in the form of a phone call, e-mail or other mitigating activity.

That's a lot of costly false alarms. But any professional familiar with network security knows that therein lies one of the greatest challenges to protecting corporate data: winnowing through all of the "alarms" to identify the 5 percent (or fewer) that are genuine threats.

And this is a job that is getting harder with each passing year. Security liabilities are no longer restricted to the desktop. Cell phones, PDAs and other devices used to access corporate networks add to the complexity and vulnerability of corporate networks. Mismanagement, careless configuration and failure to keep up with the latest patches account for increasing hours of system downtime and lost productivity. In the case of the Slammer worm's penetration of safety monitoring systems at Ohio's Davis-Besse nuclear power plant in January 2004, the potential downside was far more serious: real danger to the public at large.

In the face of escalating network traffic, growing device heterogeneity and system misconfiguration, are we fighting a losing battle? Is it inevitable that true "network security" will get harder to attain?

I'm not sure it is. But I am sure that protecting corporate networks from malicious or unintentional destruction increasingly demands that we let go of some of the cherished myths that we cling to in the process of making enterprise data more secure. The following seven are high on my personal ready-to-retire list:

"Perimeter security is the most important line of defense."

It's all about the firewall, right? Wrong! While an important line of defense, the enterprise perimeter cannot be the only line of defense. Insufficient control of external connections, weak access controls, poor firewall implementation and authentication procedures, and intrusion detection technologies can all undermine IT efforts to "shield" at the perimeter. Perimeter defense is required, but not adequate alone.

"Our systems are well configured for secure access."

Intelligent people with fairly evolved IT security abilities can still make mistakes. Just ask that team at Davis-Besse, whose members had reasonable grounds to believe that the nuclear plant was protected by a firewall programmed to block the port that the Slammer worm ultimately used to spread. But all human systems are fallible. In that particular case, the worm squirmed from the unsecured network of a contractor through a T1 line into the Davis-Besse corporate network. I'm not faulting the team here but I do fault blind faith in the power of "system configuration" to protect networks from harm.

"We know how things get in and out."

Networks are inherently dynamic and very hard to control. They are best thought of as teenagers who will never grow up, stabilize and check in from wherever they happen to be at midnight. When 802.11 exploded into the marketplace this past year we saw continuous news coverage of how easy it was to get connected to corporate networks from the parking lot. We even have the new term, war driving, coined by U.S. Internet guru Peter Shipley, to describe the wireless hackers' latest pastime of seeking ingress and egress in the new wireless access landscape.

"We can depend on the software."

Even the best software engineers will make mistakes that will cost their customer dearly. Do you remember how in 1999 NASA lost the Mars Climate Orbiter? The loss was attributed to incorrect programming of the Orbiter's maneuvering system, rooted in programmer confusion between metric and non-metric units. It's an imperfect world, and the name of the game here must be containment. New products (including Sun Microsystems’ Solaris 10) allow system administrators to create software partitions that provide resource, security and fault isolation. These kind of technologies will be needed to "contain" potential security breaches.

"Coring down to one or two key vendors will boost our security and save us money in the end."

This is a very dangerous assumption. Heterogeneity may mean more vendors to talk to, but it also means a safer system. Monoculture in computing, like monoculture in agriculture, is a risk to survival. That's why it's best not to rely on one vendor for all of your security needs. If there is even a single vulnerability in such a "monoculture" solution, your entire business could be offline for days until a patch is available.

"The rush to regulate will taper off."

Regulations that affect the way we enforce authentication, access control and audit transactions were not knee-jerk responses to debacles such as Enron and WorldCom, and are not going to "taper off" any time soon. The move toward stricter regulation had been afoot in the United States and Europe before these accounting scandals. Gramm-Leach Bliley, Sarbanes-Oxley, HIPAA and, more recently, CA 1386, which compels reporting by commercial organizations if security has been breached, are all "the shape of things to come." Regulation will always trail behind innovations in business and transaction technology.

"We can keep out the bad guys because we know who the good guys are."

Identity and roles-based access controls make it possible to offer significant levels of security and can shield sensitive information from the wrong people. But the smart implementation of these technologies should go hand in hand with the knowledge that good guys can turn bad. Consider the recent example of an Internet Wire employee who, shortly after leaving the company on good terms, used his knowledge of the company’s operations to post a fraudulent news report. Posing as a PR person, he reported that storage networking company Emulex (whose stock he had traded and suffered heavy losses with) had lower-than expected earnings, that its CEO was resigning and that the S.E.C. was gearing up for an investigation. A stronger identity management system with roles-based access controls may have helped head off this embarrassment. Such policies should be applied evenly, regardless of who is deemed "good" and who is on the "bad" list.

Myths such as these seven represent the greatest threat to corporate network security because they approach the concept of "security" as a fixed goal that the right combination of technology and business process will arrive at eventually.

In actuality, true network security is something that will always be just over the horizon. We can be safer. We just can't ever afford to tell ourselves that we finally are "safe."

John Loiacono is executive vice president of software, Sun Microsystems.