With the birth of the personal computer, early software engineers adopted real-world systems as a basis for the electronic equivalent. Organizing data on the hard disk in folders and files was an easy to grasp concept for users. When we evolved from the command line, the natural paradigm of the desktop fit well. Users immediately understood the concept of a two dimensional workspace they could organize as they saw fit. With the explosion of the Internet, new paradigms needed a model to give users an inherent understanding. Email took its pattern from a real-world model though oddly enough not mail, but rather the office memo (I guess 'E-memo' didn't sound as good). It was so effective in borrowing the concepts of TO:, CC:, and BCC: that email quickly became widely adopted.
When working on information security systems, I too look to the real world for inspiration. However, not all real-world examples are useful...
A real life firewall doesn't present a great wealth of information on how a packet filter should function. Besides keeping the engine from turning us into a messy spot in an accident, it bears little significance on the complexities of a modern, stateful firewall. Deep Packet Inspection can't look back at a time when legions of humans manually sifted through Ethernet frames. If we were to apply the airport security model to DPI, we'd have to find novel ways of generating latency, removing any liquid-y bits and racially profiling the headers.
What real-world security examples can we learn from and apply to network security?
Neighborhood watch contains a wealth of examples for good practices in
network security. It relies on the fact that those monitoring have a
closer proximity and familiarity to the subject matter. It's also a low
cost method of enhancing the watchful eye using something already
available to the police... community residents. If we apply this logic
to network security,
it makes sense to locate compensating controls as close to the assets
as possible. Software on end-points compliments the heavy duty hardware
appliances in central points within the network. Knowing what each
system
is suppose to do and configuring the protection accordingly, greatly
enhances our chances of detecting something suspicious.
Wiretapping uses a system of keywords to reduce the volume of conversation an analyst needs to listen to. Perhaps in resource constrained IPS systems a quick pre-match for potential suspicious content could be employed before deeper inspection takes place. New traffic sources could be given a high level of suspicion that reduces over time, decreasing the depth of the checks.
The secret service has an advanced team that surveys the destination of a dignitary in advance. In network security we use tools like Capture-HPC to visit potentially dangerous URLs, presumably to add them to a black list. Perhaps other scouting technologies could proactively assess resources ahead of users.
A Casino uses the eye in the sky to centrally monitor for cheaters. Not only is this efficient, but the nature of the observation (from above) provides an unobstructed and untamperable way of watching for wrongdoings. I would liken this to the external network monitoring provided by VMware in the VMsafe network introspection API. The monitor can watch from a location impervious to the tampering that may occur to the guest OS, but it is close enough to the guest to catch everything.
There are countless other real-world examples that one can apply to network security. Each bring years of proven experience that can inspire the information security systems of today and tomorrow.
Comments