Last December I ranted a bit about Swedish security politics and just a couple of days ago ENISA - the European Network and Information Security Agency - released a report with recommendations on how to structure cyber security efforts within the European Union. Below are a few points that caught my attention.

Related to our lack of information on what is really going on out there:

“We recommend that the EU introduce a comprehensive security-breach notification law.”

“We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime.”

How else are we going to get a good picture of what is actually happening to others and how much it has cost them? My experience says that companies are getting really tired at hearing fictional stories and FUD. We need this.

Related to our inability of acting on issues:

“We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected if they assume full liability.”

Internet have no boundaries. If a computer or network in Sweden is compromised and maliciously managed from Poland their respective ISP need to be responsible for disconnecting that machine and be held liable if they don’t. Our laws need teeth.

Related to vulnerabilities and patches:

“We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.”

“We recommend security patches be offered for free, and that patches be kept separate from feature updates.”

Without a proper picture of where our vulnerabilities are, how are we supposed to be able to define our risk? Before the patch is available, how are we supposed to be able to counter a specific vulnerability with a countermeasure? A law that requires vendors to quickly notify their customers and the public about a vulnerability will allow companies to make the strategic decisions that is necessary. And of course patches should be free.

Last but not least, we need to collaborate on cybercrime.

“We recommend the establishment of an EU-wide body charged with facilitating international co-operation on cyber crime, using NATO as a model.”

Incidents happends to everyone, it’s just a question of when. Therefor, every company needs to plan for Incident Response. So does every nation and union.

Kudos to Enisa for a good report.

Related to my earlier post Future firewalls are protocol, application and identity aware, Dark Reading today has an article spinning on the same topic entitled Firewalls Ready for Evolutionary Shift. I consider Identity and Application awareness to be the two most important features in future firewalls simply because they enable firewalls to function more like they were, and are, intended. An IP no longer identifies a user and a port number or even a protocol no longer identifies an application, and firewalls need to make their decisions on other parameters that does.

The article agrees with me on Application awareness, and as I, also reference Palo Alto Networks App-ID. In addition to that, Gartner also feels that integrated IPS-functionallity will be “next-generation”, which I don’t agree with. Integrated IPS-functionallity gives no new security functionallity. It is perhaps more practical, but it doesn’t solve any problems that IPS-systems have. That the article don’t mention identity awareness is sad in an otherwise great piece.

And, sometimes I wonder what Gartner is smoking. These paragraphs got my attention

CheckPoint, Cisco, and Juniper, for instance, already have some initial basic IPS capabilities in their firewalls today, Young says. “It’s less about firewalls and more about how networks and users have changed,” he says. “As they change, the firewall is forced to change.”

Gartner, Juniper is offering their full blown IPS as a blade in their ISG-series (Integrated Security Gateway).

The has not been much innovation in the firewall market for some time. Sure, they are stateful and performs deep inspection etc but due to the fact that most of them still look at TCP and IP protocol headers for identifying traffic and applications they have too many flaws to be considered a security device. I consider firewalls to be more of a networking device than a security device, since it’s main purpose is to connect untrusted and trusted networks, but not to secure the connections.

There are two basic flaws with common firewalls that makes them unsuitible for calling a security device. IP and Port-number-centric firewalls are flawed since:

• IP-adresses doesn’t properly identify a single user or even a single machine. Current trends of virtualisation makes this even more true. Having IP:s as source and destination-variables isn’t granular enough.
• Port numbers doesn’t properly identify a protocol. There was a time where port 80 was used by HTTP, but today many applications use port 80 for their traffic. One example is Skype. Having port numbers as protocol and application identifiers isn’t granular enough either.

Future firewalls that live up to the requirement of properly identifying users and applications are however to some degree already here. One innovative company is Palo Alto Networks whoms “Next generation firwall” uses a technology they refer to as App-ID

App-ID is a revolutionary traffic classification technology that enables administrators to see exactly which applications are running on their network-irrespective of port, protocol, SSL encryption or other evasive tactics. Architected to address security evasion tactics such as the use of non-standard ports, dynamically changing ports and protocols, emulating other applications, and tunneling to bypass existing firewalls, App-ID gives administrators newfound powers of control over their application traffic.

I like this because allows firewall policies to be described in terms of applications, such as Skype, Bittorrent, HTTP or SMTP instead of service objects that rely on port numbers and header information. There are open source projects that develops similar technology to App-ID, such as L7-filter

L7-filter is a classifier for Linux’s Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., regardless of port.

Besides being application-aware, Palo Altos firewalls integrate with Active Directory to tie users to IP-adresses. Juniper Networks also does that - and much more - in their Unified Access Control-concept (pdf). In that concept the firewall policies uses the user identity instead of IP-adresses, among other things.

Update:

A good interview with founder of Palo Alto Networks, Nir Zuk.

“I think that a more important trend in network security today is the
move from port-centric to application-centric classification
technologies. This will make most of the existing products obsolete,
similar to the way stateful inspection has made its predecessors
disappear from the world…”