Wednesday, October 3, 2007

Endpoint Security by Mark Kadrich Book Review


I think that Richard Bejtlich hit the nail on the head with his review. The book makes some sound points, like "we rely on the vendors to tell us what the solution should be instead of turning the formulation of a solution into a science" and "as devices connect to or leave the network, the perimeter changes, and so our security policy must adapt" but these aren't necessarily new ideas. The sound points are heavily diminished by the book's lack of focus. Its hard to say that he jumps around in a chapter because "the chapters" are laid out well and cover what they say they are going to cover but I kept reading waiting for him to get to the point of how to make my network and endpoints more secure. I got to the end of the book and I don't feel we ever got there.

The short answer is that he recommends using system hardening (baselining) and a NAC device to ensure secure configurations to protect your endpoints. He says end point devices are anything that extend outside your perimeter, the author breaks these up into:
Windows, Non-Windows, Embedded (printers, routers), mobile phones & PDAs, Palm, blackberry, windows CE/windows mobile, and Symbian OS. I had a couple of issues with his using a NAC as the end all, be all solution. For the sake of argument I'll concede that a NAC solution should protect my LAN from someone walking in an plugging in an unauthorized device or keeping a client that does not meet my specifications off the LAN by quarantining them (even though Ofir Arkin has spent plenty of time proving this isn't necessarily the case). What the NAC solution doesn't protect against is a public facing server with a vulnerability, those million client side "i got you to click on my link" exploits, or protect the network from any mobile devices (AV ends up being our only solution minus any baselining we can do).

I had issues with his unwaivering trust in NAC solutions and those agents that most of the time make that happen. Ch 6 starts off interestingly enough talking about how he doesn't trust software VPN solutions because they can have flaws but all throughout ch5 we are told to use NAC solutions that require a closed source agent to be installed on the endpoint. What gives? I'll take a mature open source solution over a relatively young closed source solution any day.

The book has chapters (8-12) on baselining Windows, OS X, Linux, Embedded Devices (Printers), and Mobile Devices. While not technically incorrect, its adds very little to existing information and is certainly not enough information to confidently lock down any of the systems mentioned. The Mobile Device threat and mitigation section which is probably the biggest threat to the current network is covered much better in BlackJacking. I was also disappointed to see nmap version 3.00 being used for scanning. Nmap v3.0 is years out of date.

My last set of gripes is with the author's assertion that we need to change our network diagrams (page 60). He says that we should throw out the Visio type diagrams and go with an engineering/circuit board type diagram. I found myself having to keep flipping back to see what the symbols meant. He gave the example of if you asked 3 network engineers to draw a diagram of a network you would get 3 different diagrams, but I would say that it doesn't matter if they use a firewall with a wall and flame or a wall with hatch marks 9 out of 10 times everyone will recognize that as a firewall where his version of a firewall that is two triangles with their point's meeting may not be recognized. The informIT site used to have Chapter 3 as a preview so you could see for yourself (wasn't working when I wrote this).

The book does have some good points, the idea of the ever changing perimeter that includes mobile devices as endpoints is a good way of looking at the current problem we have on hand. I also agree with the author on page 69 that "we have many security tools that can function as integral and derivative controls, but these tools are acting independently of each other and are not tied to a central controllable proportional process." I think he raises some good points but doesn't quite deliver on a solid way to fix those points in the book.

CG

No comments: