An Information Security Place

Many of you have probably heard about the Goodmail scandal at AOL. Basically, they are trying to implement a system where people / organizations can pay to get better email service. They may not sum it up in some people’s minds, but that is essentially what it comes down to.

Now, I am a security person, so I am paid to be paranoid. That means I am essentially skeptical of anything I hear and read (I know, it is sad, but it is something life has taught me, and it makes for good security as well). In other words, I should have been born in Missouri (leave a comment if you don’t know what that means). That also means that when I see sites popping up like http://www.dearaol.com/, which is slamming AOL for this whole thing, I don’t take their word as truth (believe me, my inclination is to jump on the “stomp on AOL” bandwagon – the initial proposal by AOL made my hackles rise REAL high).

But, in the interest of fairness, justice, the American Way, etc., etc., etc., I have decided to do some more digging. I went to AOL’s site, but there was nothing immediately apparent that was discussing this. So, I went to Goodmail’s site. They have a “Get the Facts” page at http://www.goodmailsystems.com/certifiedmail/index.php. Again, I am cynical, so I can’t take this page for the its face value either. But I have to say that much of their argument is sound. They have stringent criteria for getting certified from what I can see on the page. That is located at http://www.goodmailsystems.com/senders/qualifications.php.

Even with these two sites, their FAQ pages, and many arguments from many people, I have not completely made up my mind on this. As an argument against AOL, I can see phishers duplicating this certified insignia and putting it in their emails, so it might actually make phishing more effective. And with the advent of spear phishing, this could really get dangerous. However, I am not as concerned that AOL might make a business decision to not keep anti-spam, etc. up to date for your general user. I can see the fallout if they at all slack on this, especially since this uproar has risen. Also, there is an argument that this will make some people have a “non-guaranteed” email system. OK. Since when has email been guaranteed? Just because a provider says it doesn’t mean it is so. Anyone with half a technical brain knows the Internet itself is not guaranteed, much less email to your grandma. Sheesh.

Anyway, I can’t just sit back and start arguing, fuming, and screaming like like so many are doing. I am not saying http://www.dearaol.com/ is doing this. What I am saying is don’t make a knee-jerk reaction. Take a look and make and informed decision. Don’t read troller comments. If you still come down against AOL, then so be it. If not, so be it. Just don’t be ignorant.

Vet

I spent a week in San Jose, CA (which I found very UNappealling, BTW) for the RSA Conference. Here are my thoughts:

1. As stated above, the venue was not AT ALL appealling. The main convention center did not have enough room for the Keynote speakers, so they were across the street in some building (can’t remember the name). That area was simply old and dirty looking. I am not adverse to dirt (I was born and raised in Mississippi, for goodness sake), but I don’t like it when I am trying to listen to big-name CEO’s talk about trends in security. They had to have an annex for overflow (this is also where they placed “laptop” row, so people who actually wanted to get some work done could plug in). The annex had a telecast of the keynotes, so this tells me that the San Jose venue is just not suitable for a convention of this size. I am sure there was some reasoning behind San Jose, but I cannot see going there again.

However, since #1 did not seem to directly affect the quality of the tracks, speakers, etc., I will digress.

2. RSA itself is a very important event in the world of security because of the trends that come out from experts. This year was no different. Here are some of the trends I heard talked about:

a. De-perimeterization: This one is not new, but it seemed to really take focus and gain strength this year. Many speakers were talking about this. One Microsoft speaker was talking about moving the firewalls to the ISP, so the company would basically be getting “clean bits”. He also talked about the move of the firewall to the desktop and server level, and the increasing popularity of host-based IPS.

Another company (can’t remember now – sorry) spoke of “zoning” using software instead of hardware VPNs, etc. This also came from the disappearing perimeter argument.

What this company called “de-perimeterization”, I simply call a “dynamic perimeter”. The perimeter was still there, it was just allowed to kind of flow to meet your requirements. It hasn’t disappeared at all.

What Microsoft proposed was simply a gargantuan DMZ between the ISP and our servers / desktops. He said that we should look at the network as just being another part of the Internet. I say he’s opening us up for a huge management problem by making us more closely manage of desktop firewalls and making us go to our ISP for opening ports, creating policies, etc. Yes, the ISP could give us a virtual firewall that we could manage, but then the ISP would not be able to guarantee clean bits, thus defeating the move of the firewall.

b. Though this has also been happening for the last couple of years, there seems to be a big push towards integrated firewall, IPS, switching, routing, etc. 3Coms acquisition of TippingPoint has them on this bandwagon. Juniper’s acquisition of NetScreen gave them a huge push in this direction. However, this flies in the face of the disappearing perimeter. I am not seeing how these two can work together. What I see is that the disappearing perimeter as a partial move by some companies, but it is still not a direction that many security experts are seeing as viable. Defense-in-depth is still taught by the vast majority of security experts, and creating a large gap with no security measures does not square with this tried-and-true practice. I see deperimeterization as something of a pipe dream for most organizations.

c. At last years RSA conference (2005), spyware was the big problem that almost no big security software vendors had a solution for. Now, everyone has a solution for it. It is amazing to me the way needs get met in security. Now, spyware is not longer the problem-de-jour (though it is still very much an issue).

d. Network Access Control (what I call sandboxing) is one of the big dogs this year. Everyone is tieing on to Cisco’s NAC right now, giving it extra functionality and rules. MS’s NAP is not there yet, but the promise seems very big. BUT, you have to be an all-MS shop to really take advantage, so I am not sure where that is going. Juniper and 3Com are also moving in this space, but I am not sure how successful they will be since they have limited marketshare with switching and routing. They seem to be an add on at this point, but Juniper can definitely play if they continue to gain share in the routing arena. Their security products (firewall, IPS, SSLVPN) are the best out there in this humble blogger’s opinion.

e. Compliance is and continues to be a huge issue. Now, the focus is on the scanning the network, auditing the results, and reporting complaince levels. Many companies seems to be giving all-in-one compliance solutions. They are tieing this in with their basic management products.

Overall, I see security moving more and more towards becoming this pervasive idea / strategy that will basically take over all apsects of IT. Manufacturers and software vendors of any real size will not be able to make a product without first considering security. It is becoming THE focus of IT, and I think that is a positive thing. Where the differences will be is which way the market decides to go. Some new aspects of security are too important and will be around no matter what (some type of access control, compliance, others), but others (deperimterization, security product integration) seem to be competing, at least in the enterprise. It is an exciting time in security. I am glad I am here to see it.

Vet