Tuesday, 31 July 2012

Ultimate Firewall

Marcus has a point as always. In the past the image from his blog was of the Ultimate Firewall. Now, it is the ultimate IPS.

Figure 1: The ultimately insecure firewall. It always fails.

That stated, I still have an issue with this.

The mentality is wrong.

Security comes as a juggling of three aspects:

  • Availability
  • Integrity
  • Confidentiality

The thing is, the CIA triad is generally best listed as the AIC triad for business. Even in the military, integrity of intelligence data means more than confidentiality (although we talk more of the C).

Marcus states on his page (tongue in cheek to some extent):

The firewall above is the only 100% guaranteed secure solution.

(* May have a performance impact on traffic if prevention is enabled)

Now, it is true this does have a performance impact.

Mostly, it negates the need to have anything in the first place. It reminds me of the NT 4.0 IIS server with a C2 accreditation. It is secure as long as it is not connected to a network. What use is a web server not on a network… Well it was secure.

Security is never an absolute. You can chase your tail forever, but you can NEVER make a perfectly secure system. Yes, you do get closer and closer to perfection, but each increment costs more and more.

It is sort of like trying to travel at light speed. In this case, the faster you are, the more you increase in mass and the greater the energy that is required for the next zero point closer. Well, it is the same with security.

The economics of security mean that we cannot ever be absolutely secure.

The formula to calculate risk are extremely complex and I will not go into these in this post, but the simple part of this is that for a given economic quantity, you get a set amount of security (in a given confidence interval).

This is better described as resilience and survivability. Both are terms used in systems engineering for a long time and which are sadly neglected in security.

What this means is that we have a trade off. 

image

Figure 2: The economics of security. It is always a trade-off

To make a system more available, we either sacrifice confidentiality or integrity. This is what I mean for a trade-off.

The other alternative is we increase costs. This makes the project less attractive. It lowers the IRR and maybe the project will not make the IRR (Internal rate of return) for the firm and it never occurs.

Here is the thing…

Business is all about risk. Nothing is perfect. It is about a trade-off.

There is not absolute state of security. The only thing we can do is to balance the economics of risk in a manner that makes the gains exceed the costs in the long run.

In thinking that removing a system from a threat makes it secure, we do everyone a disservice.

Only by knowing we are going to be compromised and accepting that systems are not secure can we start to train for what may occur. Only when we accept that we cannot make the perfect security system will we learn to deal with the inevitable breaches that occur.

1 comment:

Ryan G. said...

Excellent post... wish I could make everyone in my company read it.