|
|
|
|
|
|
|
||
|
|
|
|||
 |
|||||
 |
     
|
 |
Netcentric View: Replacing the Maginot Line Security Model
By Bernard Cole
|
|||||||||
 |
To find out more about what they said, go to the full list of the House Committee hearings for the 107th Congress to listen to the testimony or read the transcripts listed under the Oct. 10 meeting of the Science Committee.
According to Wulf, the current system is flawed because the strategic assumptions on which it's based are outdated, as are the responses to security breaches. Most cyber security, he points out, is based on what he calls the "Maginot Line" model: the assumption that what we need to protect is inside the system behind firewalls, cryptographic mechanisms, intrusion and virus detector that are supposed to keep outside attackers from gaining access and taking control. But, he said, in a net-centric computing and communications environment where there is no clear boundary between "in here" and "out there," this view has outlived its usefulness, if it had any in the first place.
"The immediate problems of cyber systems can be patched by implementing 'best practices,' but not the fundamental problems," he testified. Moreover, no one has questioned the underlying assumptions about cyber security established in the 1960s mainframe environment out of which the Maginot Line Model emerged. As a result, he said, the little research that is being done is focused on answering the wrong questions.
"In WWII, France fell in 35 days because of its reliance on this model," he said. "No matter how formidable the defenses, the attacker can make an end run around them, and once inside, the entire system is compromised.
Wulf also objects to the model because if fails to recognize that that many security flaws are "designed in." In other words, a system may fail by performing exactly as specified. Flaws are not always "bugs" or errors; they can also result when a system behaves as designed, but in ways the designers did not anticipate. "It is impossible to defend or provide a firewall against security flaws that were conceived of as perfectly legitimate; that were, in fact, considered requirements of correct system behavior," he said.
A third concern he has is that the Maginot Line cannot protect against insider attacks. "If we only direct our defenses outward, we ignore our greatest vulnerability, the legitimate insider," he testified.
An even more serious flaw he sees is that it may not be necessary to "penetrate" a system to do major damage. "This was demonstrated by the distributed denial-of-service attacks on Yahoo," Wulf said, "which showed that expected behavior can be disrupted or prevented without any form of penetration. Simply by flooding a system with false requests for service, it became impossible to respond to legitimate requests" (I understand that this was one of the ploys al Qaeda might have been considering if they had been successful in penetration of one of the many control systems monitoring power, water, and fuel distribution.)
Probably the most serious objection Wulf has to the current Maginot Line approach to computer security is that it has never worked. "Every system built to protect a Maginot Line-type system has been compromised--including the systems I built in the 1970s," he said. "After 40 years of trying to develop a foolproof system, it's time we realized that we are not likely to succeed. It's time to change the flawed inside-outside model of security."
While I find many of Wulf's arguments compelling, what do we have to replace this model? Wulf points to a couple of possibilities. They include the use of models based on biological immune responses and others along with other models that distribute the responsibility for defining and enforcing security to every object in the system. The goal is to assure that the compromise of one object would not compromise the whole system.
What are the alternatives to the traditional model? How robust are they? Are they applicable across the board to all connected computing environments, from those based on desktops to embedded devices, or are they limited to just one segment?
Bernard Cole is site leader and editor of iApplianceweb and an independent high technology editorial services consultant. He welcomes your feedback. Call him at or send an email to .
For more information about topics, issues and technologies mentioned in this story go to the flashing icon in the upper left corner on this page or go to the iAppliance Web Views page and call up the associatively-linked Java/XML-based Web map of the iApplianceWeb site.
Enter the appropriate key word, product or company name to list instantly every news and product story, product review and product database entry relating to the topic since the beginning of the 2002.
