|
This year for St Patrick’s day, my son brought home a paper requesting his family make a leprechaun trap. It suggested using string, paper cups, shiny objects, and numerous random items that generally end up in the trash. I believe there was even a suggestion for plastic spoons, though for the life of me I cannot imagine a capacity in which a plastic spoon could be used to entrap a leprechaun. My wife suggested taking an old pizza box, putting a stick inside to hold it open with a string tied to it. Then when the leprechaun entered the box to get whatever treat was waiting inside, the string could be pulled and the leprechaun would be captured.
Obviously, my wife didn’t understand how cunning a leprechaun could be and the thought that a simple pizza box would be a sufficient trap led to only one conclusion: I would be taking over this project.
Unfortunately it would take this entire article for me to outline every detail that made up what ultimately was the perfect leprechaun trap. Instead I will only touch on a few key points.
First, I know there are no such things as leprechauns. However, my wife still felt the need to point this out to me after I spent about $75 on some building materials. This, however, did not mean that I was taking the challenge any less seriously. Second, though most of the construction took place while my son watched from a safe distance, I still feel comfortable saying this was a family project. After all, I did allow him to follow me around on several occasions at Home Depot.
Third, and what turned out to be most important, let it be known here that finding battery-operated solenoids and heat sensitive sensors is a little more difficult than one might think -- especially, when you only have two days.
Ultimately I did complete the trap, though my son could only operate it under strict adult supervision. However, I do pity the poor leprechaun who falls victim to the lure of the shiny tinfoil bait that will bring him to his ultimate demise.
Don’t Fall Into the Trap
So, why would I share this fascinating tale about a leprechaun trap that not only led to several heated conversations between my wife and I, but also left two of my fingers with cuts that probably should have been treated by a qualified physician?
It turns out that many organizations have fallen victim to very similar situations. You see, though I did end up making a very slick trap, hindsight leads me to believe that the pizza box and a stick may have been a better solution. In this same way, many organizations have jumped into major security projects with grand ideas and a half baked plan, only to go way over budget and end up with something that is far more than they need and can manage .
I am constantly involved in meetings where organizations are developing a security plan for a new project. Though it is much easier to start at the beginning, in many cases I am brought in when the plans have already begun. Generally, at this point, the client is now looking for another perspective because things are not going the way they had envisioned.
For example, a client I met with a few weeks ago was implementing a new online banking application. They had already spent thousands of dollars on new equipment, though they had not decided how the network itself was going to be laid out. As we started to white board everything, it became clear their existing network would already support everything they were implementing. Ultimately, the only thing they needed was an additional network card for their existing firewall. Luckily this was easy to fix. Had they continued down their current path, they would have invested close to $40,000, had a network that was so splintered that the communication needed between the servers would have had numerous bottlenecks, and their existing network would have become less secure.
The Best Fit
This doesn’t just happen on major network implementations. Firewalls, for example, range in functionality and price. Most small to midsize companies can use a very low end firewall for all their internal security needs. But instead, you find organizations that invest thousands of dollars on solutions that are far beyond the need of the organization and the skill set of the administrator. This is not to say that the more robust solutions are not good. It just becomes similar to bringing a harpoon to catch goldfish. Just because it’s bigger and has more features, it does not mean that it will be the best solution for all organizations. An administrator needs to avoid listening to marketing hype and instead outline what it is that they truly need.
If your organization has a strict policy that no remote clients can have access to your network, then VPN technology included within the firewall means nothing to you. Granted I am only mentioning firewalls here, but this applies to everything from anti-virus to wireless access. You must define what the specific goals are before you begin to look for the solution. Just because Checkpoint has a larger share of the firewall market, doesn’t mean that it’s the right product for your environment.
While talking about firewalls, you also need to decide if a managed firewall is truly needed for your organization. My main issue with managed firewalls is that, in many cases, there is really no need. For example, if you’re a small business that allows all traffic outbound and no traffic inbound, unless you have a monkey running your network, there is absolutely no reason not to manage the firewall yourself.
Basically it is a paperweight at that point, and there should be few, if any, changes ever necessary. In the case where your firewall does require more maintenance, then you will need to weigh how much work will be involved and if it is justified to use a managed service or have an internal employee assigned to it. A good rule of thumb would be that if you are required to make changes more than once a week, it could become more cost effective to outsource to a managed solution. Of course, that will also depend on what price you are required to pay, as it can drastically vary.
Managed IDS
Another managed solution that should be reviewed is intrusion detection/prevention. Where firewalls most often do not need outsourced management, IDS should almost always be outsourced.
Let me be clear that the organization I am affiliated with does not offer managed solutions, so this is not based on a hidden agenda. What has become clear to me through the years is that the only way that IDS can be effective is through constant supervision. If it’s 3am on a Saturday morning and someone is attempting to break into your network, who is responsible to catch it, verify if it’s a false positive, and then do something about it? Unless you have the manpower in your office for this kind of 24-hour surveillance, you need to look into managed service.
Now, like most things in the world, the price can range greatly. My suggestion would be to talk to people in your industry and see who they like. Managed IDS solutions have been around for a number of years and you can always find people with positive and negative stories for you to take into consideration. Find a solution that will support promiscuous monitoring if you are placing the device on your internal network. IDS can be in proxy/passthrough mode or promiscuous mode. Proxy/passthrough mode is designed to pass all traffic through the device. For example, on your external network, before the traffic hits your firewall it is first piped through the IDS device. This is a great solution for your external network, as all traffic coming in is monitored before it touches your equipment.
On the internal network however, the proxy/passthough mode becomes useless. In most cases, the device will sit just inside the firewall and only monitor traffic inbound and outbound via the firewall. Though great for detecting attacks at the gateway, what happens when there is someone already on your internal network? If a disgruntled employee decides to hack into your internal database, what happens then? Since the employee is already on the internal network and is attacking other computers on the internal network, that IDS device in proxy/passthrough mode would never see a thing. On the other hand, were that internal IDS device in promiscuous mode, then all traffic on that internal network segment would be monitored and the attack would be spotted instantly.
When an administrator is looking to improve the network security or is required to bring in new equipment to meet the needs of a changing environment, the key is to start simple. What I avoided mentioning in my opening story about the leprechaun trap is that I think I spent about as much time and money as the government did when they built the Apollo 11 space ship. Had I listened to the voice of reason, which in this case was my wife, the project would likely have been just as successful, far less expensive, and ultimately made more sense.
Administrators need to make sure that they view their projects using a similar perspective. It is very easy to get caught up in what’s cool and lose track of what is needed. Make sure the design fits the need. Ultimately your goal should not be to have the biggest and the coolest, but to have what makes sense. Otherwise you might find yourself with a giant device designed to catch something that doesn’t even exist.
About the Author
Jim Stickley is the CTO of TraceSecurity, Inc. (www.traceSecurity.com), a provider of enterprise-class vulnerability management solutions and security assessments. He can be reached at jstickley@tracesecurity.com.
Go Back
|
