LAS VEGAS—Firewalls could become redundant at some point in the future, a researcher said at the Black Hat conference here Wednesday.
Paul Simmonds, global information security director at Imperial Chemical Industries plc and co-founder of the Jericho Forum, doesnt advocate dropping firewalls altogether. He argues that properly secured data wont need the firewall whether or not security is breached.
The Black Hat USA conference hosts more than 2,000 security professionals, all interested—professionally or otherwise—in information security. The difference between a “black hat” and a “white hat” is a fine one; a hacker may use a particular tool to gain access to data with malicious intent, while a security professional may use that tool or a similar one to evaluate a sites security in order to keep out hackers. The nuances and legal implications of crossing the line warranted its own discussion track.
The currency of information security is control of a particular machine and, by extension, access to its data. Simmonds argued that the current model of protecting data with a firewall was like surrounding money with an armored car: Once penetrated, the car is useless. Far more effective are hardened containers that, when improperly opened, drench the currency with red dye that cashiers are instructed to report.
The Jericho Forum, which was founded in January, boasts a large contingent of European members who are moving toward Jerichos goals in four stages: moving some corporate data outside the hardened perimeter; removing the hardened perimeter; existing without a hardened perimeter; and providing data-level authentication. Some companies have made the shift to the first and second phases, but true data-level security wont arrive until 2007 or 2008, he said.
“A hardened security strategy is totally unsustainable,” he said.
Touching base with contacts at Black Hat can be a bit unusual; for privacy reasons, several presenters used a nickname or assumed name. Other attendees declined to reveal the name of their employer, or their official position.
One security professional at a large financial firm said he doubted that a hardened firewall would go away soon. “Theyve been pushing for that for years, but its not going to happen,” he said. “Attacks are too distributed.”
Over lunch, however, another professional said his company has tried to minimize the depth to which a compromised machine could be used to attack other PCs on the network. Instead of an interconnected LAN, the company has experimented with running a sort of dedicated VPN—one to each PC—that isolates each PC from the others. “So far, its working out well,” he said.
Other Wednesday highlights included:
- A series of exploits that could be applied to the Microsoft Pocket PC operating system. By manipulating the operating codes of the ARM processor architecture used by most Windows-based PDAs, Seth Fogie, vice president of Airscanner Corp. in Dallas, found that he could install a keylogger and other applications on a Pocket PC. Fogie used a hex editor to change the Windows flag to a minimized state. The hack allowed remote viewing and even the concealment of other applications in the startup folder.
Fogie took the attack further to force the PDA into a hard reset mode under certain conditions, erasing all of the users data. By using the PDA as a bridge to a network, Fogie also showed how an attacker could use it as a virtually untraceable back door into a corporate network. The attack wouldnt trigger an anti-virus application, he said.
- Paul Wouters introduced the Wavelan Security, or WaveSec, protocol as a means of developing a secure open-source access point. The technology combines IP Security with either the X.509 standard or DNSSec/DHCP, doing the authentication in the IP layer. The researcher built a prototype based on a 300MHz Cyrix MediaGX processor, 64MB of RAM and a 20GB hard disk.
- “spoonm” and HD Moore introduced the “Metasploit,” which allows “point, click, root” access to a variety of platforms. The Metasploit Framework is designed as an open-source (GPL) research alternative to proprietary exploit solutions from Core Security Technology and others.
- Maximillian Dornseif and Thorsten Holz described “NoSEBrEaK,” a tool designed to sniff out and take control of honey pots, systems designed to lure attackers and study their methods.