Richard Bejtlich wrote:
I understand that market pressures and misguided research
organizations are forcing access control and audit functions to
converge. This is a shame. I wrote an article called "Considering
Convergence?" that recommends keeping access control and audit
separate. [0]
and
Ross Anderson's exceptional book 'Security Engineering' recommends
avoiding "convergence" when he talks about bookkeeping and fraud:
"With functional separation of duties, two or more different staff
members act on a transaction at different points in its path. The
classic example is corporate purchasing. A manager makes a purchase
decision and tells the purchasing department; a clerk there writes a
purchase order; the store clerk records the arrival of goods; and
invoice arrives at accounts; the accounts clerk correlates it with the
purchase order and the store receipt, and cuts a check; the accounts
manager signs the check.
It seems to me the separation of duties argument more strongly supports
having multiple layers from different vendors than it does having access
control and audit functions separate. Customers increasingly want to do
access control at L5-L7 (traditionally IDS territory), which is inherently
more vulnerability prone than only doing access control at L2-L4
(traditional switch ACL and firewall territory). Customers want to do this
because L2-L4 access control may be too crude (I want my employees outbound
access to the web, but I don't want them surfing porn, or I want customers
coming to my web site, but not running attacks against it). So vendors rush
to support what customers want. Once one is doing all that parsing and
checking in the application layers one might as well incorporate the L5-L7
audit logging (it's not that much more work in the product).
Having two layers from the same vendor with the same codebase, one layer
doing the access control and one the audit would add very little security.
Having two layers from different vendors, both doing access control and
audit, adds significant security (and significant management overhead).
I've seen very security conscious organizations that can afford it doing the
latter (two different firewalls in series at the perimeter, or internal NIPS
for segmentation, with different vendor HIPS as well for backup at least on
key assets).
Stuart.
Stuart Staniford, Principal Scientist
Nevis Networks
stuart@nevisnetworks.com
408-327-4652
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
