A couple of weeks ago in New York there was a Jericho Forum meeting. I have other obligations, or else I would be there in person. I think that Jericho is interesting, and from a Risk Managment standpoint, not at all something to casually dismiss. But the forum meeting is the reason for all the recent press and discussion.
Jericho, for those unfamiliar with the Biblical story of old, was a city that had some very high walls - said to be impenetrable. The Israelites were told by God to march ’round the walls, blow their trumpets, and he would then knock down the walls and they could take the city. The 80’s group Style Council had a song that referenced the whole thing (the link is a You Tube video - and yeah, I had a haircut like that circa 1984-5).
Jericho for us is a clever reference to the usefulness of our firewalls. The forum is made up of people with real “post-perimeter” problems - what do you do when you have 60,000 1099’s and business partners with some level of privilege to your network?
JERICHO ILLUSTRATED
At first (back when I had to learn these new fangled “firewall” products) our model (sorry) looked like this:
Back then, a 256k partial-T was a big connection ($3,000 per month or so). Firewalls were built to help us prevent (block traffic), detect (log analysis), and respond (more log analysis, and blocking). Maybe we had a big HP-UX or Unixware server using Morning Star PPP for dial up, but our faith in PAP and CHAP meant that few people spent another $50,000 to drop a TIS gauntlet around remote connectivity.
Then our model evolved to this with the advent of new perimeter devices:
We could work from home! Remote users could get to networked resources! This was awesome!
Our perimeter evolved to include VPN and maybe even IDS way back when. Our connection speeds grew exponentially - and while Firewalls still performed prevent, detect, and respond functions - our ability to really capably do those functions at the perimeter deteriorated.
These days, our model is a little different:
Our model has expanded to include things that have likely always been there (1099’s, for example, bad guys in the perimeter) and some that are new trends (targeted malware, tainted business partner connections). The idea that traffic coming through the perimeter should be given any significant level of “trust” is outdated. The perimeter’s ability to prevent, detect, and respond is limited to preventing the most basic of attacks, detecting usefully only when we have significant resources to throw at the detection function, and responding (which in the day and age of firewalls that need load balancers is not an enviable task at all).
JERICHO IN EQUATION
In FAIR terms, we have problems (high vulnerability) when our threat can apply more force to our controls than we can withstand (TCap > CS). Note that the capability of our threats to overcome our controls evolves over time. Think of DES circa 1987 vs. 1997 vs. 2007.
MAKES SENSE SO FAR, SO WHAT ARE THESE JERICHO PEOPLE SAYING?
Well, they’re not (all) saying that we should all sell our firewalls and network IDS systems on eBay. The Jericho Forum members I’ve had the privilege to speak with haven’t said “leave the network wide open and protect the end points, applications, data and users”.
What Jericho is saying is that the usefulness of perimeter controls doesn’t seem to be getting any better, and, in fact, doesn’t help them solve the problems they face having hundreds or thousands of business partners and tens of thousands of non-W2 users with some level of trust in the network itself. The perimeter for them, has become not only what lies on the ethX side of our last sequential DMZ asset, no, it is every “perimeter” on every smartphone, laptop, remote desktop, business partner asset, contractor asset, and even public email terminal that sends packets your way.
SO WHAT IS JERICHO
Well, you could call it a framework. You could call it a “95 thesis” from large enterprises nailed to the websites of their vendors. Just don’t call it “flat earth” thinking or dismiss it casually. Don’t think they don’t see value in defense in depth. Just understand that different people have different needs (another YouTube Video). Jericho members aren’t for the most part SMB companies.
September 19, 2007, 11:11am Comments
