Defensible Digital Boundaries Panel Discussion at AVAR'06: Digital Security - Prevention to Prosecution 12:10 - 13:00, 5 December, Sky City Convention Centre, Auckland Moderator: Prof. Clark Thomborson, University of Auckland Panelists: Bojan Zdrnja, Peter Gutmann, Darren Bilby, Andrew Lee, Gordon Grant Every secure system has a boundary separating the system from its hostile environment. We defend a system at its boundaries, by preventing the "bad guys" from entering. We also defend a system from the inside, by sandboxing to limit the damage that can be done by an intruder, and by an active cycle of deter-detect-recover-punish. Modern information systems have many secure subsystems, and therefore many security boundaries and many defense mechanisms. Many of our systems and subsystems are expected to remain secure despite frequent changes in their software, networking connections, and personnel. I have asked each of our panelists to focus their remarks on one type of security boundary. They should argue for its importance in future information systems, and they should discuss its prospects for defence. Some of our panelists may focus on platform-level security, where the boundaries are the I/O ports of a single computational device such as a laptop computer or cellphone. Some may focus on virtual systems, such as virtual machines and sandboxes, where the security boundaries are defined by the virtualising software and operating system on the host platform. Some panelists may choose to focus on a secure subsystem that provides a specialised service, such as email, fileservice, Kerberos authentication, or identity management. Some may focus on national security, where the security boundary is defined by the territorial authority of their government. Some may focus on regional security, and some may focus on international security. My personal point of view is that we can successfully defend the perimeter of individual computational platforms, which in turn will defend the perimeters of our future, virtualised and highly distributed, information systems. Perimeters around multiple computers (a.k.a. firewalls), and perimeters around multiple people (a.k.a. brick-and-mortar walls), will be increasingly indefensible and irrelevant. A secure system might conceivably be designed from redundant arrays of perimeterized enclaves (RAPEs), but I believe it will be much more cost-effective to build out the vision of de-perimeterized security that is being developed by the Jericho Forum. -- Virtual Systems Bojan Zdrnja University of Auckland Because we are seeing more and more virtualization, a clear digital boundary is getting more difficult to define. In recent years subverting the operating system/kernel has become the main target of attackers. The game is typically won by the one that goes "lower" as it is impossible or very difficult to detect a subverted kernel from a security service running in a higher level. If a host operating system (or machine, as was recently demonstrated by Joanna Rutkowska's Blue Pill) is subverted, all digital boundaries imposed by the virtualized system may be ineffective. -- Crunchy Exterior, Soft Chewy Interior: Fine for chocolate, but less useful for IT departments Dr Peter Gutmann Cryptoplumber, University of Auckland Currently, much IT security thinking focuses on firewalls, creating a network with a hard crunchy exterior and soft centre. As a result, a single firewall flaw or misconfigured (or ill-advised) filter rule can expose the entire network to attack. Furthermore, firewalls do nothing to protect against insider attack - if you want to attack a business electronically, get a job delivering people's lunches and you're right inside the soft centre. Security requires defence in depth, compartmentalisation, and knowing what's in the soft centre, not just a black box tacked onto the network to provide the crunchy exterior. -- Surrendering the Kernel Darren Bilby Security-Assessment.com Within most current consumer and corporate systems, the kernel is the primary security boundary between untrusted users and complete compromise. In current systems, the unavoidable fact is that any circumvention of kernel controls gives full, largely irrevocable system access. While significant effort has been made by operating system vendors to secure access to the kernel (a significant example being Vista), many core architecture issues circumvent these controls. Recent examples include Rootkits and exploits that utilise operating system independent mechanisms such as PXE boot, BIOS manipulation, PCI EEPROM, AMD Virtualisation and Firewire expansion bus. My position is that until a systems kernel and associated relevant hardware can be audited by an independent mechanism, the kernel boundary is indefensible. -- Is defense too high a price to pay? Andrew Lee ESET LLC We have multiple technologies available, which dependent on situation, are either singly or in combination able to reasonably defend a networked system of computers, and individual machines. However, this technology comes at a cost, particularly where multiple devices and layers are required. Clearly this is a factor in any business. Are we at a point where the entry level to business in terms of computer security is too high, or high enough that users would rather take the risk of losing their (and their customers') data than defend their networks. It has always been assumed that ignorance, rather than cost has been the greatest factor in play, but increasing awareness of security has largely done away with this, so we must look for another reason. Is the digital revolution going to result in economic disaster, is it likely that (as with the biological body), that 99% of the power in computers will be used simply to keep the system alive. That 99% of the cost of a transaction will be its security? -- De-Perimeterization Gordon Grant Resilience Corporation During the migration from EDI to e-trading computer access methods have progressed from a lockdown process of qualified admittance to a liberal policy of free form surfing. Methods conventionally used to secure network perimeters can be replaced by modern alternatives usually closer to the asset being secured and arguably more efficient in providing security. The Jericho Forum foresees a deperimeterized future based upon secure protocols and encryption and several Jericho Forum members forecast a deperimeterized environment as early as 2009. Business continuity is a major issue during transition and in their subsequent maintenance. Gordon Grant is Executive Vice President at Resilience and has been invited onto our panel to discuss the inevitability of deperimeterization and his involvement with The Jericho Forum over the past two years. His personal profile can be seen at www.resilience.com. --