Comments on: Are Borderless Networks Possible?

By: jack chen

jack chen — Mon, 09 Nov 2009 05:28:41 +0000

To my understanding, PKI which is an abbreviation of Public key cryptography contains a group of policies and technologies to support message encryption and digital signatures; just like other encryption algorithms (like ESP, ISAKMP we have used for Windows IPSEC) is designed to allow two parties to communicate securely without intercepting and Eavesdropping by intruder. You might ask that what practices would be used by PKI to secure communications? I would say it is Public Key cryptography, Certificates (certificate authority) and digital signature. • What is public key cryptography? It uses for enabling data encryption. It is an encryption algorithm by using a public key to encrypt data, and a private key to decrypt it. However, data encrypted with a specific public key can only be decrypted by a private key which must be the other part of the same key pair. For example, John wants to access his banking account via web securely and confidentially, in order for doing this, he logs on to his online banking account via HTTPS:\\www.wamu.com; then his IE browser encrypts his logon session (include his ID and password) by using the public key (a digital certificate assigned to his online banking bank) and send to his online banking’s web server ; this logon session is then decrypted by the online banking bank with the Private key (the other part of key pair) to validate and authenticate his identity and status, he is then able to have access to his online banking account and make transactions securely if successful. Note: You can always open security report (which is locker on the very top or bottom of IE Browser) to view the digital certificate which assigned to your bank or your company (for OWA). • What is certificate: It is used for authentication. It is electronic files containing public key and specific identifying information about the user, issued by a Certification Authority (CA) to confirm the identity of the possessor (i.e. bank, company). A Certification Authority (CA) is a main component of a PKI. It is a trusted third party (like Verisign, Thawte, Godaddy,..) responsible for issuing digital certificates and CRL (revoked certificates which are no longer valid). • What is A digital signature? It is used to establish data integrity. It is an electronic identifier similar to a traditional paper signature. It is unique and provable, and must be only initiated by the signer. It can be used with either encrypted or unencrypted messages, to ensure document is not altered during transmission. For example, John and Mary want to communicate securely via the network, they decide to use PKI to ensure their secret and privacy. John and Mary both have their own digital certificate (either bought from VeirSign, or issued by corporation internal Microsoft Certificate Authority), each of these digital certificates contains a copy of public key, the expiration date and the CA’s digital signature. John and Mary also receive the private key related to their own public key. Application (i.e. Acrobat, from edit – preference - security – digital signature) on John's workstation creates a digital signature and encrypts his message. The application uses John's private key to create his digital signature, and *specifically use Mary's public key to encrypt the message. When Mary receives this digital-signed encrypted message, her application then uses her private key (the other part of her key pair) to decrypt the message and allow Mary to read it. Since Mary is the only person who owns her private key can decrypt a message (which is encrypted by her public key), so the privacy of the document is confirmed. The application then uses John's public key to authenticate his digital signature, therefore proving that the message was sent by John, and never changed during transmission over the network.

Overall, the Internet is so well on its way to attractively suitable the major platform for worldwide business and communications. No matter who you are and what you are, we all demand methods which will not only assure the integrity of the information transmitted over the network (internet and intranet), but also provide the privacy and confidentiality transactions exchanged over network. The viable practice is to use the Public Key Infrastructure. With the use of public key cryptography, digital certificates and digital signatures, a PKI can provide the guarantees we need before we can confidently communicate sensitive data over the Internet and intranet.

By: Wim Remes

Wim Remes — Thu, 29 Oct 2009 18:08:34 +0000

Sadly enough, you are spot on. Another problem is the fact that not a lot of companies are ready to adopt granular, context-aware access control because of messed up directories mutilated by the butchers that touted Role Based Access Control as the next best thing but rarely went any further than creating a gazillion groups to fit in all the roles the business never knew it had.

By: JD McCloud

JD McCloud — Thu, 29 Oct 2009 16:43:32 +0000

@Wim Remes with SAML and XACML you make a very good point that the border of networks could change, but call me pessimistic, as I have little hope for broad integration across vendors for a long time to come.

By: Wim Remes

Wim Remes — Wed, 28 Oct 2009 23:18:22 +0000

Just dropping by. Looking at the technologies we have in place right now, the concept of a borderless network looks daunting to say the least. However there has been a leap forward in the realm of authentication and authorization that can leverage the concept. With open standards like SAML (v2) and XACML (v3), you can centralize your 'policy information points' and 'policy decision points' which will actually simplify the management of access policies across the borderless network. The fact that every single device and application can (and will) have a policy enforcement point might actually initiate the demise of the border.

It needs to be said that the current situation rarely allows for a swift adoption, but the groundworks are there.

By: Prefect

Prefect — Wed, 28 Oct 2009 22:54:51 +0000

Major Hammer: The rules themselves might not theoretically increase (the enterprise maintains the same configuration in all border equipment potentially), but in practicality they do as you attempt to manage equipment on a locational and functional level. If each device becomes a device to be managed at a policy level, now the remote access can't simply pass through the egress points and be acted upon by overall rules, specific policies must be put in place to handle access to say an internal CRM application.

Or more simply, enterprises need more gateway handling (usually equipment) of traffic (e-mail gateway, IM gateway, firewall, IDS, web filter) the more egress points that are out there.

Its one of the key reasons DHS is now limiting their egress points, as commented on in the DHS Answers our Question post.

How does the mobile phone example manifest itself here? Is it replicated on the device level with technologies like NAC?

In general, there is a universal falsehood being purveyed, that network borders have degraded beyond usefulness. The increased complexity of an enterprise with mobile access, traveling workers, and more connected devices then ever before have made constructing and maintaining these network perimeters more complex. But that complexity is not the same as degrading.

Sufficed to say some of the marketing efforts in play right now, and not picking on Cisco in particular (we are avid readers of Mr. Hoff's blog), are pushing us from our comfort zones, but not in a feel good positive way. The presentation received is heavy on grand philosophical vision, the responses heavy with branding those with questions as luddites, and overall light on detail of the "practical howto" for the average enterprise.

So here's what we want to learn put at a high level but what we want are the details: how will the security capabilities we have today extend to this new borderless model?

By way of full disclosure, Mike Hammer is Mike Hammer of the Cisco office in Washington D.C..

By: Mike Hammer

Mike Hammer — Wed, 28 Oct 2009 14:06:16 +0000

JD, I am perplexed by your notion that the number of policy rules increases if distributed versus centralized. Your assertion that you can somehow scale by constraining the policy enforcement points to a single device on the edge of the network needs better support rather than taken for granted. And by way of analogy, it was the cellular networks that first introduced encryption and policy enforcement rules during connection setup before wired phones. That is not such a strange concept for those that have worked with mobile networks for many years. Hopefully, this experience has pushed you from your comfort zone to learn more.

By: Sam Moore

Sam Moore — Fri, 23 Oct 2009 19:56:37 +0000

Oya, I don’t think I agree with your statement that smaller companies need less security than larger companies. I believe they need the same degree of security, one simply has to go about achieving it differently with small companies.

By: Prefect

Prefect — Thu, 22 Oct 2009 20:38:13 +0000

Thanks Sam, but I can’t take credit, JD wrote this article. Thanks – DK

By: Oya Sanli

Oya Sanli — Thu, 22 Oct 2009 18:08:06 +0000

Thanks for this nice article. Almost a month ago I translated Jonathan Strickland's article about cloud computing, in Turkish.(http://communication.howstuffworks.com/cloud-computing1.htm)I am agree with you security is the biggest issue for bordless networks and cloud computing. However, considering economic situation for small size companies it is a solution. Smaller compnies need less security.

Thanks again. Oya Şanlı

By: Andrew S. Baker (ASB)

Andrew S. Baker (ASB) — Thu, 22 Oct 2009 11:29:09 +0000

JD, I agree that the concept has not been well vetted from a security standpoint. A borderless network is very possible today.

A borderless network which is adequately protected against threats is a different animal altogether.

-ASB: http://xeesm.com/AndrewBaker Providing Competitive Advantage through Effective IT Leadership

By: Sam Moore

Sam Moore — Wed, 21 Oct 2009 23:44:42 +0000

Daniel, I like your explanation of the cloud system broken down for us here. I agree with your concern about security also. It seems that every device will, under this scheme, have to perform its own authentication and authorization checks of every user on the network (or at least within the cloud) to determine what they are and are not allowed to view and have access to. This seems much less efficient and much harder to accomplish adequately. What happens when someone is lazy and doesn’t spend the added time necessary for that kind of security? Does the cloud default to closed or open? -Sam