Endpoint security - If firewalls are the problem, can they also be the solution?
This article from InternetWeek reports that Cisco are using their Okena acquisition to augment the Cisco Security Agent - described as a "program that protects so-called 'endpoints,' or individual servers, desktops, and other devices." - with behavioral "learning" capability.
The article points out that security enforcement at the endpoint "aims to close any gaps that might be missed by firewalls".
This tallies with a theme in security at the moment - deperimeterization. Deperimeterization spelt with a "Z" is Googlewhacked by this weblog at the moment. But deperimeterisation spelt with an "S" isn't, indicating the origination of the phrase in the UK.
There are many aspects of deperimeterization which are relevant for Web Services security (I'm in Boston so I'll use the 'Z' spelling). The most obvious is that, as everybody knows, most existing firewalls are oblivious to XML. But, the larger problem is that firewalls have for a long time been oblivious to SSL traffic, and sensitive XML data is almost always encrypted using SSL. This presents a big problem for companies who subscribed to the "crunchy perimeter, soft center" firewall model, because SSL traffic sails through the "cruncy perimeter" encrypted. Another way in which deperimeterization affects Web Services is where XML traffic "hops" through a number of systems in an Services Oriented Architecture, requiring security information (e.g. "Where is this message from?", "Where and how was the sender authenticated?") to be bound to the messages themselves, otherwise the messages lose their security "context".
These are some of the reasons why, in addition to selling an XML Firewall (VordelSecure), Vordel also sells Agent plug-ins which embed into the protected Web Services endpoints themselves. This allows an administrator to deploy Vordel's XML Firewall to perform peer authentication and then sign and "inject" a security token into messages, allowing Vordel's agents to scan for the presence of this token at the endpoints. Without this endpoint protection, an XML message which simply hasn't come through the XML Firewall cannot be blocked. And without endpoint protection, internal-to-internal messages have to be routed up though an XML Firewall, which isn't always a convenient or elegant solution. If you can only "see" the messages in a snapshot as they pass through an XML Firewall, you aren't seeing (or managing) a full view of the security of a Services Oriented Architecture.
One of the ironies of Web Services security is that while everyone is agreed that firewalls are deficient for XML traffic, a similar perimeter firewall model is often presented as the solution. But is the problem with firewalls due to deficiencies in its application awareness, or it is an architectural problem? A firewall certainly is the solution sometimes, which is why we built VordelSecure. But in other cases, securing Web Services also requires endpoint security - which is why we also built endpoint security agents. With Cisco, I think we are in good company on this one.
|
