BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

The Slumlord Approach to Network Security

Following
This article is more than 10 years old.

The "Section 8 Bible", a must read book for aspiring landlords, introduces a simple rule to deal with broken equipment in the apartment: If law does not require it, remove it. Don't fix it. For example, interior doors are not necessarily required and can be removed. Network security professionals frequently follow similar guidance: If there is no business requirement, disable it. The rule assumes that minimizing features minimizes exposure. The fewer lines of code we run, the less likely are we going to be vulnerable to a bug.

How valid is slumlord network security? Can it really protect a network? Does it do more harm then good?

There are a number of voices that speak up against this approach:

"Restrictive network policies hinder creativity": How do you learn and experiment with new technologies, if they are blocked on your network. These are technologies you are not using right now, and don't have an immediate business use for. But they may become important later. Social networks make a great example and are frequent flash points: Should you have access to social networking sites from a company network? Many businesses already made this decision and block them. But once you are blocked from using social networks, you may never realize that there are great new ways to promote your business. You will never realize that customers complain about you on Twitter, or that someone is spoofing your products on Facebook . You could limit access to a marketing group, but they may not have the same insight and ability to help as other parts of the company.

"Removing features hurts security": I am not talking about obvious issues (like removing firewalls). Operating systems and their security features are tested in standard configurations. For example to follow up on my last article, Microsoft no longer tests Windows patches without IPv6 enabled. Disabling IPv6 will bring your system into an untested state and patches or security related features might not work as expected.

"People will do it anyway, so you better support it": The best current example of this dilemma is probably "Bring Your Own Devices (BYOD)". Many companies struggle with establishing policy to define what workers can do with computing devices they own and bring into the corporate network. Should they be supported? Or should there be a policy not allowing the use of personal devices? If you are creating such a policy, then you better be ready to back it up and enforce it. It may be more secure to setup a dedicated network for these devices that is controlled and managed versus having employees work around these issues. In addition you may need to consider providing secure access to internal resources from these devices without leaking confidential information.

"Restrictive policies will make it harder to hire": You may not necessarily agree that someone should be allowed to Facebook and tweet while at work. But to come back to slumlords and apartments: With running a restrictive network, you are limiting your pool of applicants just like a landlord does with the appearance of the apartment. Creative and enthusiastic applicants may not feel drawn to a company restricting and watching their every move. Time to "goof off" doesn't have to be time wasted, but can be time used to recharge, to experiment and to have fun of work. This is probably more important when it comes to retaining workers vs. hiring new workers.

So what should you do: Simple. Follow the business need. That premise still stands. But it has to be interpreted correctly, and not to tightly. Not all of our decisions are 100% rational, and you need to account for that. However, if you do implement a restriction, make sure it makes sense, is well explained to the people that are affected by it, and is supported not just by policy, but also by technical means to monitor violations. It can make sense to be a network security slumlord. If you run a call center, and all people use your computers for is one specific task, then it may very well make sense to disable everything else. If you are managing national secrets or other high value assets, security can be more important then ease of access, and people handling the data and the systems may be more willing to buy in to the restrictions if they understand the threat the information is exposed to.

A good balance will lead to the most important security feature that you can have: Buy in into your security policy. Once you stop being the bad guy preventing people from getting work done (or having some fun), your job will be so much easier educating and fostering awareness.

_____

Dr. Ullrich will teach his intrusion detection and IPv6 classes at SANS Network Security in Las Vegas from Sept. 16h-24th . For details, see https://www.sans.org/network-security-2012/