8 April 2005

Use hard scopes as natural cover

Let's pull a few unrelated concepts together...

What is possible is often delineated by hard natural scopes, and overcoming these is generally seen as the objective of progress. For example, it's pointless for me to apply for a job in Norway as I can't physically attend the workplace, but if the nature of my work can be transmitted as data, then that obstacle goes away, thanks to the Internet's role as a ubiquitous data conduit.

The Internet's been likened to the Wild West, in that without any overriding curbs on software behavior, objectives are pursued to the point of open warfare. So you're obliged to view the Internet as a virtual battlefield, as if all the bad neighborhoods in the world could suddenly wormhole their way right up to your front door.

Now when you plan your defences, you tend to take natural hard scopes for granted. If your house backs directly onto a mountain cliff, you don't fret about attacks through the mountain. If the PCs on your LAN are cabled together, you don't fret about other entities being on that LAN unless they get in from the Internet.

On the other hand, if you suddenly take those natural scopes away, you may find your traditional defenses have huge blind spots.

Thirty years ago, we would think purely in terms of physical safety. Today we think in terms of Internet threats as well. The two seem quite different; physical threats are localized, whereas Internet threats are anonymous and pose little physical risk.

We know Internet financial crimes such as identity theft on the increase, and it's also been noted that criminals formally convicted of physical economic crimes such as muggings, car thefts, house breaking etc. are switching to Internet crime via off-the-peg tools.

We also know that wireless networking needs a lot of attention to secure. Presenters assert this is indeed possible, if you have a few boxes to act as certificate and RADIUS servers, and you disable a bunch of things that are on by default, such as easy-to-exploit WEP.

I see a huge amount of consumer WiFi kit flying across dispatch counters; it seems like many folks automatically go WiFi at the same time as they go broadband. I have to wonder how many of these first-time home networks will have the faintest whiff of WiFi security in place.

Laptops are easily stolen, and new ones support WiFi out of the box. It's easy to cruise around looking for signal and hook in as part of the LAN, thus bypassing any Internet-facing defences, and combine the anonymity of the Internet with boy-next-door physical access. That's a scary combination, and not only for economically-motivated crime.

In physical battlegrounds, combitants haven't relied purely on personal body armour for a few centuries now. Kevlar notwithstanding, modern combitants make maximal use of natural cover, simply because it works better.

Computer game players know this too. Space Invaders players generally don't shoot away all the buildings to get a clearer shot at the bad guys; they preserve theseas cover and hide behind them. Players may use cheats to be able to walk through walls in Doom, but they sure don't use cheats to let the bad guys shoot through walls at them.

So perhaps we shouldn't be so quick to dissolve natural hard scopes that physically air-gap LANs from the outside world. We can never clean the Internet of malware - it is the mother of all infected networks - so all we can do is harden the edge against it. Hence the classic defensive strategy; put a NAT router and/or firewall between the Internet and our LAN. After all, the inside of the LAN is implicitly hard-scoped by where the cables go - as long as you don't go wireless.

No comments: