Thursday, May 3, 2018
“A sequel is an admission that you’ve been reduced to imitating yourself” -Don Marquis
A colleague forwarded yet another hacking article to me last week. I’ll paraphrase the headline and subtext, "HPE–iLO 4 Servers Targeted by Nasty New Variant of Ransomware! - IT blamed for not patching thousands of servers exposed on the Internet."
If you’re like me, I am sick and tired of the strain this never-ending carousel of exploits places on IT teams, our businesses, our critical infrastructure, and yes, our governments. These security events are repeated so often and the storyline has become so predictable it’s like having to watch the same genre of movie over and over again. It’s like "Groundhog Day” but that was a good movie and didn’t have a sequel.
The Internet is broken and the soft underbelly of all TCP/IP networking is exposed with yet another attack. Surprised? We have to fix the script of this movie and we can, but it means challenging the status quo in a much bigger and more meaningful way.
This Script Sucks
Unlike Groundhog Day, our IT movie sucks and a new sequel with the same storyline premiers every month. It’s called, "IT Insanity – Into the Deep #169” (for obvious reasons) and like a sequel to a teen horror movie you know how it ends every freakin’ time. Here goes, see if you recognize this.
System has vulnerability (Gasp!), hacker runs recon looking for systems (DUN-dun-DUN-dun), hacker finds systems (Bwahahahaha!), hacker exploits system and does bad stuff (Nooooo!), forensics team is brought in (Look there! Cha-ching $$$), heads roll (Ewwww!), hacker escapes (Ugh, again?), new guys hired to replace old to shake things up (Ah, maybe the next sequel will be better), new guys buy more stuff from the same network and security cartel who didn’t protect them in the first place (I really hate this movie).
Traditional IT prescriptions won’t fix this script
What blew me away about the headline of the article was not that ransomware found a new target or that yet another system was exploited, it was the tone of the article, the comments posted by readers, and the prescription. It felt like yet another exploit was a surprise, what, hacked again?! And reader comments were harsh, "What kind of idiots expose their servers on the Internet, grrrr.” Really? When I did a quick search on Shodan those HP servers looked as if they’re being used as web servers and being that they are web servers it’s kind of normal that many would be public facing on the web. What about the perimeter firewalls and the prescription offered, “remember to use a VPN.” Brilliant. But what if I have highly mobile users and workloads, vastly different IP namespaces and what if I want to micro-segment that server from others on the same network? And what if I don’t want to expose my VPN on the Internet either and need to have a mesh of many-to-many connections to non-routable device IPs? VPNs are 90’s technology masquerading as modern in a 21st century world. It’s not IT’s fault.
Sure those HP servers should have been patched because HPE-iLO servers have a long ,storied history of vulnerabilities but they’re not alone. All firmware, O/S’, and software from all vendors have had some type of vulnerability since the beginning of the Internet. Spoiler alert: vulnerabilities will continue to happen because people write code, people make mistakes, and bugs happen.
Despite brilliant performances in harsh conditions, the actors can’t save this movie
Have the critics ever worked in IT? Do they know how many tens of thousands of different systems need to be patched at any given time? Do they know that most of the systems implemented in an organization were deployed by people who no longer work at the company or the current staff doesn’t know where, why, or for what purpose the systems were deployed? Do they have any idea how many firewall rules, routes, access control lists, how many NAT devices there are and what it takes to maintain so users even have reliable connectivity? They don't know the sheer scope of IP:Port combinations in existence or how difficult it is to consistently maintain an IP namespace across different networks, IoT endpoints, containers, k8 pods, and oh by the way different cloud providers too.
It’s not the actors, it’s the writers and directors
Do the critics know how all of these circular dependencies tie a gordian knot of complexity that few, if any, humans can effectively manage? Idiots didn’t expose those HPE-iLO servers - overworked IT people did using technology that they trusted. It’s not IT’s fault. IT didn’t create the complexity or allow the fatal flaw in TCP/IP to persist for so long - they inherited this script. Vendors, and even the standards bodies themselves, have let IT and all Internet users down.
Captain obvious disclosure: I’m a vendor and have worked for vendors for the last 25+ years so am admitting my own guilt here, not just pointing a finger. Must be my Catholic upbringing and the need to atone for so many years of ignorance.
Fixing the movie starts with admitting the script needs to be rewritten
The reason the Internet is broken and why we see so many groundhog sequels to our "IT Insanity” series is the nature of TCP/IP itself. The base attribute of networking is the IP address which serves a dual role for which it was never intended – as a device locator and as a device identifier. The role of the address evolved pretty quickly from its sole original intent as machine locator on a network to also being used as a machine's identity in order to enforce or restrict access to what that machine can or can’t talk to, e.g. allow ingress from 172.17.0.0/16 and allow egress to 10.0.0.0/24. We’re in essence trusting a non-verifiable attribute and treating it as a trusted identity. And if that base attribute isn’t trustworthy, nothing built on top of it will be either. It’s the weak link that the rest of the entire chain depends upon.
It’s no different than trusting someone to enter your house using their home address as their identity, "It’s okay honey, the person at the door said he’s 1324 Maple Lane so it must be Bill. Let him in." Would you feel secure knowing that your protection and personal identity was based on using your home address for identification? I didn’t think so, yet that’s the state of networks and the Internet today so why are we still so surprised when bad guys so easily find our houses, enter, and do harm? We’ve been building networks and access control based on a false trust model. This is the status quo we have to break if we’re to rewrite the script. If we don’t break it, we will continue to have to act in the same tired and horribly costly IT Insanity sequel. Because deploying yet another next-gen firewall, VPN, SDN controller, secure switch or whatever, is just layering more complexity on top of a soft and vulnerable underbelly.
The award-winning script that you not only get to act in but write and direct
This new script starts with zero trust, adds verifiable device/machine identity, peer-to-peer encryption and climaxes with borderless overlay networks that can’t be violated by unauthorized systems and can be run anywhere with point and click simplicity. Let’s eliminate those HP-iLO Server 4 sequels all together.
The Host Identity Protocol (HIP) is the only one I know that combines the powerful attributes of three different protocols into one – VXLAN, LISP, and IPsec while eliminating their complexity and limitations. Imagine being able to traverse any network boundary or domain like VXLAN but you didn’t have to modify any infrastructure so it could run anywhere, across any network, even ones you didn’t control. HIP gives you seamless, non-disruptive, and universal peer-to-peer connectivity that’s been impossible until now. Now imagine your machines could automatically and transparently authenticate and authorize connectivity like LISP but did it at the host level and before a TCP connection could even be established so all your machines would be cloaked and undiscoverable by unauthorized devices. HIP not only does this but unlike LISP doesn’t require the underlay network to be HIP-aware in order to function and can be implemented in a tenth of the time and cost. Now imagine that all of your authenticated and authorized network connections were encrypted like IPSec but didn’t have the mobility limitations or complicated and costly IKE overhead. You could connect anything to another over any network, including the Internet, and it would remain private end-to-end. None of your stuff would have to be exposed. Everything could remain private. You could create your own private Internet and rewrite the script.
Now just imagine that overworked IT team being able to orchestrate connectivity and the discovery of devices with point and click simplicity. A lot of the previous storyline would be struck from the script – ineffective internal firewalls, using unmanageable and traversable VLANs for segmentation, immobile and exposed VPN technology. You could start to untie the gordian knot of IT complexity and not just be an actor using a crappy script you inherited but direct and star in your movie too.
Now that would be a movie I’d love to see.