The ideal state of security would be when a threat agent gets inside your domain, or gets access to your secrets, property etc., but it doesn’t matter.

Hoff kicked off quite the discussion on the Jericho Forum (follow up here with links to the blogs that discussed JF).

This slide deck (pdf), by Andrew Yeomans, Chairman of the Jericho Solutions Working Group, is a brief intro to the Jericho Forum. It more or less mirrors the enlightening comments by Mr. Yeomans that Rob Newby published today.

As for the arguments against the Jericho Forum, they can be divided into two groups as far as I can tell:

1. Those that that think the JF is right, “but we will still have a perimeter”. (Lonervamp)

   This is partly an issue of semantics and partly an inability to map the way we use networks to the way we defend our network assets. Our assets, (data) aren’t contained within a traditional perimeter. Why surround a network with a perimeter when you really just want to protect the data. (OK, I’m sounding like Rob, but he is right.) This doesn’t mean trash firewalls, but really, we need to trash the perimeter model. The data are all over the place and won’t forever be inside the protection of a UTM device. Furthermore, as noted by Yeomans on Robs blog and on the slides, we are letting outsiders and threats through the perimeter, so we should design our systems to withstand these threats. In a way, this is getting rid of the perimeter. Yes, we will be setting up protection closer to the data. You can call this a perimeter, but I really think we should trash that word. We need to consider the “placelessness”” of data in the future and design our defenses accordingly. “Perimeter” implies a fence of sorts that protects things within it’s boundaries. This doesn’t map to the way business is done now or will be done in the future. That is the problem with the perimeter model in network security. Note: I said trash the word; not trash the firewalls. But the edge devices shouldn’t be considered the cornerstone of the de facto security model. Maybe they will exist to ensure clean pipes, but that doesn’t need to be thought of as a perimeter.

2. Those that have a vested interest in selling edge appliances. (Stiennon)

   JF causes them to stammer in fear because they are scared they might really be tossed in the dumpster for good. They try to argue that things will remain the same to justify what they currently are selling. The nice thing about selling is there will always be something to sell, so don’t let the changes and improvements scare you.

I think the reason I like the Jericho Forum’s ideas are that they remind me of a security ideal that has eluded me since I read it in an article in college. I think it was in Wired by Bruce Schneier, but I can’t remember. It went something like this:

The ideal state of security would be when a threat agent gets inside your domain, or gets access to your secrets, property etc., but it doesn’t matter. The safety of the object is an attribute of the object itself.

At least that’s how I remember it. Ever since then, I wondered how I could give my home this attribute. How could I make it so a thief that makes it into my house is powerless to do anything to my things? E.g. I could make them invisible to him. I could make them unmovable by him, etc. I’m interested to see if the JF’s ideas will help us move closer to this ideal.

Standards are defined in the market……Lots of vendors try to circumvent this natural law and it doesn’t work.

Natural law. Exactly the term that gets me hot.

Amrit wrote recently about The Birth of the Endpoint Protection Platform. Fitting for the guy that wrote about the death of AV by the end of 2007 (3 more months to go!). Amrit believes the current laundry list of operations and security agents that run on our desktops are costing far more than the value they provide when you look at them as a whole. You can save a ton of time and money by consolidating all of these into a single client. That sounds good to me and it is evident that the vendors are going that way. Symantec is trying to meet the demand and Sophos preaches the same thing. Although until now Sophos have left the operations part out of it. (I expect them to change that)

Hoff the visionary thinks the one master-agent approach is just the beginning of another problem and not a real solution:

Granted, we’re seeing the same sort of consolidation occur on the software side with “super agent endpoints,” but these pieces of bloatware can be worse than stacking individual agents up, one against the other. Security in width (not in depth) will become our undoing and the benefits of consolidation wear off when you end up with a “single vendor’s version of the truth” that ends up being a jack of all trades and a master of none.

What’s Hoff’s solution?

We all know that what we need is robust protocols, strong mutual authentication, encryption, resilient operating systems and applications that don’t suck.

I totally agree with Hoff. We wouldn’t need most of the agents if our operating systems and protocols were better designed. But what are we going to do today and tomorrow? We aren’t going to have new protocols, OSs or apps. For now, we are going to have to settle for agents that, like a doctor’s drugs, do nothing to cure the ailment but suppress the symptoms fairly well.

Hoff knows this, and settles for what basically amounts to the BigFix approach:

But because we can’t wait until the Sun explodes to get this, we need a way for these individual security components to securely communicate and interoperate using a common protocol based upon open standards.

Except the BigFix approach isn’t interoperable or based on open standards (or is it?).

There isn’t any interoperability because customers aren’t demanding it

Hoff goes on to say that he doesn’t think we will ever see this type of interoperability among vendors because of greed. I wouldn’t blame greed though, unless by greed he means an unwillingness to collaborate because they believe their value lies in their micro-monopoly patents and their ability to lock customers in their solution. (Little do they know, that they are making themselves less valuable by doing so.) No, there isn’t any interoperability because customers aren’t demanding it.

Marcus Ranum said as much in an interview over two years ago. He mentions that standards committees are too slow and vendors are too concerned about their patents and their supposed market to agree to let committees like the IETF approve standards. Marcus’ solution:

I think we could do away with the whole standards thing very easily if a few customers just exercised their economic power a little bit intelligently. Big customers have huge power, but they seem to have forgotten that. If the CTOs of 10 FORTUNE 500 firms announced that they were deferring further purchases of VPN products until they saw proof of interoperability, and open published specifications that weren’t encumbered by patents or licenses, the whole market would standardize practically overnight. Because the truth is nobody cares about standards – everyone cares about what you can do with interoperable systems. If customers just openly refused to do business with vendors that produce non-interoperable systems, the whole thing would clear up really fast.

This is the solution to the lack of interoperability. In short, let the market play out, rather than relying on and hoping for central planning. If customers demand it, it will emerge. There is no reason why there can’t be multiple standards competing for market share (look at all the different web syndication standards for example). Essentially, a standard would be collaboration between vendors to make their stuff play well together so they can win business. They create frameworks and APIs to make that happen more easily in the future so they can win business easier. If customers like it, it becomes a “standard”.

In summary, Hoff thinks we should settle on standards to allow our dozens of desktop agents to communicate, but doesn’t think it will happen, while Amrit thinks you don’t need interoperability when you can do it all yourself.

You might also like:

Network Appliances Need More Interoperability

Why Network Appliances Suck and What to Do About It.