Arm Chair QB - Jimmy buys the beer!?
I’m one of the few hillbillies that’s not a big NASCAR fan. Since I was a kid, I’ve always been more of an Indy Car fan. I think it goes back to when I was younger and my Dad took me to see the Indy 500 in 1967 when Whispering Wind the world’s first turbine powered car lost the race due to a six dollar bearing.
Of course like nearly everything, the “I told you so’s” started flying. I’ve learned a lot about network security watching and racing open wheel cars. Namely, it’s the little things that really add up. As point of reference; I really suck at racing cars. I’m the only team member with a helmet and fire suit and I buy the beer.
Look at what we do as security practitioners thousands upon thousands of vectors to actively patrol and watch. One little thing…and KA-BLAMO!! you’re the next headline. Network Security is one of the few jobs in IT that everyone expects to be perfect. Consider this; have improper normalization in a DB, well…relationships are tough even in the digital world. Or a have a problem faxing on a VOIP circuit…well.. switch over to G711 and it works…most of the time… Bug is your code? Yeah… release a patch etc..etc.. Security breech!?!?! You are sentenced to wear the Sailor Moon Cone of Shame at RSA.
Security makes headlines. Mess up there and oh mercy. I just finished reading the latest analysis from the latest headliner. It came from a vendor…so… you know what’s coming next… “If company X would have had our new and improved lemon scented digital wavy gravy locker blocker, then they would have seen it coming….”
Come on man. Stop being a douche. Working in security and with security folks, last thing anyone wants in more piling on. Personally speaking, I have a lot of telemetry coming at me from all over the place. That is the problem. Why do folks loathe IPS? False positives. Why do are users disable A/V? false positives (and of course the game of trying to beat IT at IT) Have you ever got a tour guide to a spot only to find out when you actually got there, Wall Drug is just a drug store? The data was correct from a certain point of view, which is not the viewpoint I was looking for. Words like; “Walkable”, “Garden View” “See Seven States” are equal to one size fits all. Please, if you only pick up one thing from any of these blogs let it be this; no one security product EVER will solve ALL you security problems. Never ever never will that day come. John Connor put a stop to that. The real question is how well will a freshman product work in your current design and processes?
You see, fellow security geeks, I need telemetry from the point of view of exactly what I’m trying to secure. Not from the switch as it’s passing thru at multi-Gig speeds, or the firewall or even IDS where it’s mixed in with other stuff. Just like the telemetry from a race car, I need it as close to the source as possible for speed and accuracy. I want to know what the server sees and when it sees it.
Windows has this functionality in their built in Call Outs. With Call Outs I can ensure data is IPSEC encrypted. I can silently drop packets with a Call Out. I can even do TCP offloading to improve processing. All quick and simple in Windows. We can to do more then this; I just wanted to pick three to show you the range. No hair pinning or signatures to update. Signatures are the in-laws on network security. You knew you’d have to deal with them, ya just didn’t realize what a drain it could be…
This is angle I’m approaching security from now on. It does not have to be this difficult. All this hardware and monitoring, over and over and over…. I know there is a better way to get security done without changing my network or piecing together stuff like cubist painting.
Stay tuned…
Jimmy Ray Purser
Trivia File Transfer Protocol:
TCP Chimney Offload is a Microsoft Server 2008 feature that offloads work from the CPU to the NIC during network transfer. It must be enabled at both ends and can be verified with the command netstat –t. In the far right it’ll state; “offloaded”
