Friday, May 22, 2009

NAC and DLP - lets break them and put them together again

[NAC and DLP can be so effective together, they just need to be trimmed down]

So, Art Coviello's company (RSA) arranges the biggest and certainly the most important Information Security conference. And so he gets to give the Keynote. But, to his credit he is either brilliant or has brilliant people around him because his keynote is always interesting, ground breaking even. I believe that RSA certainly has the best vision in terms of Security.

But enough of that... lets get back to the topic of this blog. (Btw, if anyone from RSA is reading this - contact me for my details to send whatever SWAG you have to give me for the above... cash is best ;)...

Coviello's main points (in my opinion) are that Security tools are point solutions and don't play nicely together. This needs to change and they need to be more open. Following that, they can then start to specialize.

I guess this is sortof what Check Point were trying to achieve with OPSEC. You have "smart machines" that understand policy.

Think - Firewall Policy server, Anti virus server, IPS. Traffic is sent to these machines and they work out what needs to happen to the traffic - allow, block, log, etc. This is communicated to a dumb device like a firewall node which just follows orders.

Coviello names the functions as follows:

  • PolicyManagement
  • PolicyDecision points
  • PolicyEnforcement
  • PolicyAudit
So, assuming I am reading a file on how my company makes its secret widgets. I download the file from the server and the following information is available to the different systems around me:

My username,
The time,
My location by network
My location by GPS (not usually but why not?)
My PC's latest patches and antivirus level (From NAC)
MY PC's installed software
My PC's hardware (including USB devices)
Any IPS triggers

This information is in many separate databases that don't really interact but imagine if they did.

It would allow the system to make a decision to allow/block based on any of the above conditions or all of the above together. So, if I try to access a file from my desk but it is 1AM then maybe I am denied the file. If my antivirus is old then tough, no files are available.

Every piece of network equipment (including workstations and servers) can be PolicyEnforcement machines. Which means that if I try to access a file that I'm not supposed to then the Server will block the connection, the switch will block it too and my laptop will block it too. This may be over-protection, but it may not be.

So, you may have a DLP server and a NAC server and a centrally controlled personal firewall policy but really the enforcement for all of these is "Allow" or "Block" and network switches can do that already. So, all your systems need to talk and when they all agree on "Allow" then the traffic flows.

Exciting times ahead.