Episode: 528
Title: HPR0528: Bordless Networking
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0528/hpr0528.mp3
Transcribed: 2025-10-07 22:33:45

---

MUSIC
Right, before we start, one thing I hate about this place is when half way through
I was really, really good question at the end, I don't know how many of it was.
So, if you've got any comments or questions, or your name is Rick or Adam, just feel free
to interrupt any point during the talk.
Also, if you have a student in the wrong place, I was going to introduce myself, I think
you all met me before, haven't you, so, I'm Robert Leidman, fire the way, hello, I run
a small IT business, we do QA, and it's Dave Tektor, and it's right software, that's
what I think.
And you're a media guy, aren't you?
Indeed, yes.
Teotart, as I've got it.
Now, one I'm about to talk about tonight is what I define as borderless networks, OK, or
borderless networking.
It's not necessarily what I'm going to agree with, but that's the term I'm going to use.
So, you start with it.
It's only a brief overview.
It's not going to be massively technical, but what I'm going to do is to dispel some of
the misconceptions, because there's a lot of populars being spoken about out there in
the blogs, give a rough out when it means, or what its approach is, I'll try and contrast
it with the current sort of classic approach to networking, and show you really where the
differences are.
First of all, you're telling what it's not, OK, what it's not called into me anyway.
It doesn't mean just joining up with the customers and suppliers.
This is really what Cisco will make you believe it is if you go to their site.
They're really viewing it as the borderless network, really means a sort of absorbing of
your customers' networks, and to you, I wasn't having a border between the two.
It sort of is that, but that's not the real reasons for doing it.
It's one of the reasons, the thing called the Jericho Forum, which I'll talk about later.
Came together, but that's not really what it is.
That's the sort of Cisco view, and it also isn't about joining VPNs if you've got distant
offices from the company joining all together and having a borderless network, so if you're
in one site, it feels like you're in the other.
That's also what you do, but it isn't the real reason for it.
The big misconception about it is that borderless means you're going to throw away your
firewall.
No, you don't.
You're just going to get rid of it and put your machines out on the raw internet.
That's the criticism you'll come across of it out there in the blogs, which is, oh, yeah,
that's what the Jericho Forum are talking about.
That's what borderless network is, and that's actually what borderless network isn't at all.
It's nothing to do with that, OK, and it's a really major misconception.
The main reason for that is that some of the marketing material from the people promoting
borderless networks can be summed up in one line, and they ask a question which is, could
you, in theory, operate your entire network if it were on the internet, and there was
you would take all the components of your network and put the various places on the internet?
Would you still be able to run securely your network like that?
They're not proposing it, but that's what people have picked up and think is happening.
The idea is that you should be able to have secure enough devices to act and be able
to do that in the idea, well, not there yet because of the capabilities or lack of capabilities
and machines.
It's actually happening now, whether you like it or not.
If you go to weather spoons or McDonald's and take your little Wi-Fi phone, you don't
drag your firewall in your perimeter into weather spoons with you, you sort of take it on
trust that the weather spoons network, then in the counting house, okay, Chris doesn't
get it.
We know that Chris would break it, but you don't really take it on trust that it's going
to be okay, but you're not taking your entire network with you.
So this criticism of it in the blogs is actually not reflecting what people do.
They wander around with devices in their pockets at the time that are attaching to networks.
Now, the other way, I don't know if you're fortunate enough, it's each time.
Don't start.
No, until I come to that later, actually the answer to that is sort of no and sort of yes,
but you should have nice now.
So, okay, fascinating is all that was probably what the hell is all of this network, okay?
Well, the idea really is that you should recognize that your network perimeter, if you like,
is, has been or will be penetrated, okay, you can take your pick out of that, really.
That's what it means.
It means you should treat your internal network as a hostile network, as hostile as the raw
internet, okay, because even if it isn't now, chances are it will be in future or it may
well already have been compromised, you just don't know.
You know, something goes for this network in here, you have no idea whether the university's
network is inherently secure, you might have a clue that it might not be, but you have
no idea what other devices are out there looking at you monitoring what you do.
So, you should treat your own network in the same way, because if it's compromised and
you don't know, it's the same type of network.
So, in effect, what we're trying to do is secure every host you have, host PC or device,
or whatever one to call it, against every other host.
Now, you may already have heard of this, but it has lots of other names, and the one
the Jericho Forum calls it is, de-parimiturization, which really trips off the tongue, and that's
exactly the same thing as what I go for with our networks.
That's the reason I thought for all the lessons, I had a way easier to pronounce it, de-parimiturization
at the time.
Now, the Jericho Forum was a bunch of sys admins in large enterprises who got together
in formally in 2003 to talk about perimeter erosion or crumbly perimeter, say put it, and they
formally came together in 2004 or formed something called the Jericho Forum.
Jericho, if you don't know the reference, was a political town, which was believed to be
really massively fortified, could be knocked down by anything.
Something that came along with the murder trumpets and blew it down.
It's not.
You know, it's a pretty good reference, really.
They basically came together to try and, if we go back to what I said about the Cisco idea
of what borderless networks is, to try and get their networks to work together, but still
to be secure.
Now, interestingly enough, it was a chap at the Royal Mail in the UK who came up with the
De-parimiturization in 2001, a chap called John Meachan.
I don't like the term primarily because it's hard to pronounce, but more because it seems
to imply that you're going to go and pull down the river and you're going to rip out all the
things that you've got, de-parimitarize yourself, and expose you and everything you have to
the internet, which again is that misconception pointed out earlier.
That isn't the guess of what de-parimiturization means.
So, really, de-parimitarization and borderless don't cover it.
They don't really have the meaning they seem to have.
But what you might think is that borderless network and your borderless computing is where you
want to get to the de-parimitarization is the process.
You know, the verb you're going to use to get there.
So, we know what it is.
We're going to secure each host and every host against, every other host.
To assume we have a host on network even when we're at home.
And really, the next thing you want to cover is the current approach, which you can see
is this one.
It's sort of a classic diagram here.
Here's my proof of it from a file.
There's the internet.
We're all hunky-dory.
This is the fortress approach.
You know, it's the big castle with the entrance guide by a firewall.
And so, often you'll have a DMZ to demilitarize, demilitarize the zone, which is where you
put your web service for public access.
And the reason for having it with DMZ is...
Yeah, because you might compromise your internal network.
Well, although there's a big fact clue to a problem.
If you're having to put these things outside, that tells you that your internal network is a soft target.
Soft and easy.
It tells you what the main problem with this is, which is...
And you can hold the perimeter as much as you like.
But once you're in it, then you're like the classic intrusion horse.
Once you're in it, you can let loose the dogs of war because you're past the firewall.
Yeah.
And every machine after that is allowed to be incredibly easy to penetrate.
What you tend to do is view this as an...
I mean, inside and outside.
Yeah, this is inside us.
And that lots of outside the internet.
Somewhere else.
One thing about the word internet is...
It's a joining of two short words.
It doesn't mean...
For instance, in Gallic, Scots Gallic, the word for internet is ethylion, meaning between nets.
But it doesn't mean that.
They just say an inter...
It's to mean inter...
Between.
It's short for inter-connected networks.
There isn't an us and them.
It's all about being inter-connected.
And this model really is the us and them mentality.
And it's the classic one.
The other thing that tends to happen is you tend to harden the perimeter.
Harden the firewall as much as possible.
You can end up overharming it.
So you need to open a port or a number of ports for services.
Insolid, your firewall, particularly if you're having a remote administration
or you're providing remote services to a partner company or something like that.
Or you're wanting to administer your own website or something internally.
Now the problem is that immediately compromises that model.
Once you open a port in the file, two of the internal machines, basically internal machine,
you basically drag that internal machine right to the perimeter.
That's what you've done.
You're not opening a port into your network.
You're dragging that machine right up to the perimeter.
And overharming leads to that.
The other problem with this is there's certain things that will just go straight through the Skype.
Straight out through your firewall, straight back into your firewall.
You know that, that's how people love Skype.
If you interfere with the way Skype works, it just works its way through all the approach it can.
It goes via HTTP, then it tries HTTPS.
And so until it can get out and get in,
Void usually has to go in and out through your firewall as well.
There's an awful lot going to go with that.
I know you probably think a lot of Skype is Void, but normal Skype Void, if you like.
It is very insecure.
And it has to have to pass through a file unit or put the port for it.
The other thing is that perimeter depends like this.
Often can't defend you against the black hat stuff.
Pat stuff that comes in via email.
Or comes in from a website.
There are programs around that you can install on the file.
If you're practicing your connections that can scan an HTTP stream for.
Mercius files, viruses and so on.
But quite frankly, if someone's going out over HTTPS or SSR, SSH,
you can't intercept that by default, by definition rather.
You can't sequence it in the stream.
So you're stuck there as well.
The other thing is that I am guilty of this.
There's anyone here who actually worked on my application.
No, that's good.
I could actually just pretend I'm watching.
But I'm quite guilty of this.
The attitude we're safe because we're behind the firewall can lead to slack application design.
I've been good to this.
Most of my customers have run my software internally.
And because of that, you don't build in certain safeguards that you would for an externally facing application.
You maybe don't bother with only three attempts for entering it.
Application, because as far as you're considering, you're considering as safe inside the file.
Well, you're considering all the staff are safe inside the file.
So that's the other thing.
You can induce a false sense of security.
Now, the other thing with this is it's really too dimensional.
Which was fine when you had dialed on that with your connection to the internet.
But if you take it and turn it this way, you can see that it can be compromised quite easily by newer devices, if you like.
If you consider a handheld device with, say, 3G, GSM and Wi-Fi.
Black with your wall.
And I thought it would have some new device or a current device.
But you are required by your company to connect to the internal network when you're there.
Via Wi-Fi, say.
If, in some way, it's compromised so the connection can come in over 3G.
The access to the internal network is through a completely new dimension.
Your firewall is not only not capable of stopping it.
It's not even aware of it.
It's living in flat land and all these other connections that come in through this other dimension.
So that's a three-dimensional view of the network.
Nothing you do far from the Peru to there is going to change that.
You could try holding the equivalent, but let's face it, the new technology comes along when you're struggling again.
I'm not even talking here about ROG, which gives you another insight as well.
ROG Wi-Fi points.
You know, it's stored on the network.
It's supposed to give you something.
Well, there are several ways that you do that.
Do you have any rules in access points?
Yes, I do.
There are several ways that you can turn into access points.
And I believe there's a new way to do that.
Well, indeed.
I mean, I've also got Zora such a little tiny line.
It's the device you can run.
You can post that being on there.
I can walk around for building with something which is smaller than another book in my pocket.
It's a Wi-Fi point, you know.
So, but again, you can see that our model has gone really,
which you should be thinking inside of different terms.
So that's my criticism, if you like, of the current situation.
So, you know, what's the big news?
What's a borderless, how is this supposed to help?
Well, if you think that this model really is the fortress model, big world, everything inside is safe.
The borderless model is more of a hotel.
You can wander a liberty through the bar and the public areas, but every room has got to lock on the door.
You can invite your customers into the bar, that's not a problem, but your room's locked.
So the model there is the hotel room, if you like.
You might still have a great big wall around the outside as well, protected from the normal threats.
There is no need to discard your current file, if necessary, and that again, as I said, is a misconception.
But what you're going to do is to bring the perimeter in and multiply it to each device, each host on your network.
So that each host is protected from every other one.
The other thing that does, the tends to is drop the inside versus outside idea.
You know, we're inside the network, we're outside the network.
And, you know, when you leave your hotel room, you're outside the room.
And that also intends to be getting so-called inside or attacks, attacks.
Because if every host is protected from the other, then an inside or attack is actually no different than an outside or attack,
and you're already protecting and you don't sit.
This one, it sounds like it's just for corporates, you know, the big labs and all the rest of it.
But it's not about the perimeter, it's about the perimeters.
So it's about a perimeter on everything, a device you've got.
So even if you're at home, the principle is that if at home you've got a PC and a small network,
you know, you're behind a router and you've got a network, maybe an iPhone or whatever else.
The idea is that when you're out to your network, you would protect it while it's on the Wi-Fi network and so on.
The idea is when you come home to your Sage network, you continue to use an encrypted communication method
to share your files with your PC, you took your local network as if it were a hostile network.
The underlying idea is that that should be a one-granting solution, very simple.
Now, you asked me for about SS every client should have an SSH, every device should have an SSH client on it.
The idea is more to use it, which is a level 3 protocol in the other side of the network.
SSH, SSL, it's on a level 4.
So if it's done at level 3, it's pretty much transparent to you.
You haven't got to harden your applications to really done at that level.
You haven't got to use SSH because your cons are already encrypted.
So the idea is that when you come home to your own network, it just assumes that it's a hostile environment that carries on working that way.
So when there's a borderless network, they mean treat your network or de-parameterization.
They mean treat your network as if the border wasn't there, not to get rid of it.
Again, it's not about throwing out the file, it's just about treating everything as having a perimeter and bringing that perimeter closer to you.
The idea is to harden each device, to protect each device, not just the network, and to protect the data on the device.
Because there's always the ethical hack, so you're probably going to disagree, which is fine.
I thought I'm talking so you can just be quiet.
There's two types of attack.
There's vandalism and data theft, if you like.
And I would say to you that all the rest are just subsets of that.
Now, the black hacks know their product.
And if you're a black hack, you know your product when you're not vandalising.
You want email, account details, personal information.
So you need to secure the device and the data on the device.
That means encryption, encrypting your hard disk and so on.
That's what hardening your device means.
Now,
the other aspect of that is if you're running a hardened bunch of devices on your network,
and someone reads another device in, is you may need to have automated standards for what can and cannot connect to your network.
You don't want it for someone to bring in a device that compromises everything else.
So there are packages out there that can do that for you.
They are more geared towards the corporate and so on.
But the idea is, the overall idea of the borderless network,
is that it should be as difficult to compromise individual machines inside the network
as it is to puncture the perimeter.
So instead of this, I can get through the perimeter and then all your network is belong to me.
When you get in, you find it's just as hard.
Now, there are problems with this.
Each device needs management.
What's new?
Yes, you have to manage your devices most of the time anyway.
When I discussed this with a couple of you before last week,
the comment I got was, well, if you go in this room,
then every user is going to have to manage their local firewall settings
and deal with their own antivirus and so on.
Welcome to the world of windows, really.
It's already happening, really.
It's, you know, the perimeter is already getting eroded and so on.
You do wonder when you look at the windows as now taking,
which is you have an onboard firewall for all the time,
as opposed to Ubuntu, where when you install it,
you haven't got firewalls, am I correct?
That's what happened to you when I installed Ubuntu.
There's no firewall installed. You have W.
Or if it's installed, it's not running.
It's installed when I'm running.
When I looked up why, the reason was because we're not running any services
that are vulnerable.
Right?
Okay, I have many comments to make about that,
but at least nowadays, and I know windows was like that before,
but now you can look up the windows and show you first,
you first switch it on, and it does really take this approach
to a certain extent.
You still have the network neighborhood and so on,
you know, that's really perhaps a model we should look at
more of the Linux people.
You know, they know it's assumed that the windows machine
is easily compromised, but the assumption about the Linux machine
is it's not, but perhaps what we should do is actually
be turning the Linux to the other way around,
which is start assuming we're just as vulnerable.
We haven't been hit yet.
I know all the other arguments about no viruses,
but it's just an approach we can take.
The other problems with the borderless network
is avoid really spoils public.
You know, it's not secure.
It's a lot more work to do with it.
It's a bit disappointing, really, if you look at somehow,
like Asterisk, okay, it has, you know,
runs with avoid criticals on the rest of it,
but there's nothing really there to avoid that's designed
for real security.
There are some certificate things you can do for deploying
to device this, but it's more about controlling
the distant device that wants to contact you
rather than inherent security.
But the other one is printers.
Your average printer has no facilities
of whatsoever for secure communication.
Absolutely not.
You might not think that's much,
but if I capture the post script,
streaming is going to your printer
from where you're printing.
I haven't actually got to do much work to see it.
I actually wanted to do two things.
I can print it up on my post script printer.
Or I can just view it in ocular KPDF.
Don't be angry about it on a few post script files.
You know, that's a pretty good way of getting information out
of the other thing as well as the higher end machines
actually have a memory,
and then we can often store the,
the red dots, you know,
make up for the memory.
Thanks very much.
Or just work my way into the printer and feel stuff out.
You know, so...
Sorry.
Have we ever in the website?
Yeah, I know.
The last three printers I've all had
have their own little web server inside.
They're not, you don't talk to the virus,
you can't talk to them via HTTPS.
So it's compromised your borderless model straight off.
It can stack them on the back of a cuck server
and use that security.
But even so, you know,
there are problems with this borderless approach.
Room.
Hangheld devices.
Now, they are often insecure.
Particularly because they tend to be closed.
It's a closed device.
You can't review it.
You can't patch it yourself.
Look at the iPhone.
There was an iPhone route kit a few months ago,
which went through all the jail broken iPhones.
Yeah, but didn't.
And, you know, that's a similar sort of thing.
That's a device that...
That's what we're all used to.
That's what we're all used to.
That's what we're all used to.
But it could be done.
So, if it had been an open system,
it's possible it could have been patched.
But regardless whether it was jail broken or not,
again, it's a possible compromise of your network, you know.
And the other example I've got at home is a...
UT StarPomage 3000 Wi-Fi phone.
It's about 2005.
I was studying Aaron this earlier on.
And it's a little Wi-Fi phone.
It connects the VoIP.
It connects the little envelope.
You know, Wi-Fi point seems great.
Unfortunately, if you look it up,
you find it's got an unpass worded.
Unuser named RLogin prompt on it.
You can go straight on the VoIP
to a VX work shell on the machine.
Okay?
And the VX works.
Let you then modify and look around and see what packets
are flying past this little tiny device.
Yeah.
I only found that out having had the phone for two or three years now
because I was looking up the information for this.
And I thought I would just check the phone.
Sure enough, it was listed with a whole load of other devices
that you just got.
It doesn't sound like much.
But once you're seeking your network,
it registers with a VoIP server.
Remember, say the VoIP
is a party, yeah.
If you couldn't get on to the device easily,
you could use the VoIP server to pass commands back
to the phone and get it to do some nasty things
on the emotions-safe network.
And it also rather spoils the borderless network party,
so I said.
Lastly, the other criticism of it is,
yeah, what if it goes wrong?
Well, you know, your network,
it's all compromised.
Well, guess what?
That's where we are now.
Yes?
If you're not doing it,
that's the sake of your network now.
As soon as they command you,
fireball, that's you.
You're open to it.
Now.
I talked about the Jericho forum,
they came up with some rules.
There's 11 of them,
so it must be really good.
Because it goes all the way up to 11.
And it's all full of corporate stuff,
honestly.
But the ones I put in bold here,
you know, devices at locations must communicate
using open and secure protocols.
That's really interesting, these corporate types,
they've got to be open,
whatever's there's got to be open.
All devices must be capable of maintaining their security policy.
In other words,
any implementation must be capable of surviving
with the war internet.
Again, that's probably where this misconception comes up.
That's what you're going to have to do.
I haven't got to do it.
What it says is,
it should be capable of it.
In other words,
when you wander into weather spoons in your cases,
if you're like,
you should confirm your devices
if secure as it could be.
And data privacy requires a separate version of
administrator access,
and I'll also be subject to controls.
I mean, the problem is,
the admin who can do everything.
And there are obviously ways to counter that.
There's some essay dynamics
and app armor,
which allow you to prevent root-to-do certain things.
Now,
those are the commandments.
Obviously, they're carrying a biblical reference here.
And there's a link for it.
There's also a practical guide
to implementing it,
which is actually quite good.
It's actually quite practical as well.
There's not sort of,
you know,
everything would be wonderful if you do this.
It's quite practical,
and points out in the notation.
So, well worth visiting.
So, really,
there's a question for you as well there,
which is a thing about,
which is really,
you know, where is actually your network perimeter?
You know,
is it home behind your root-to,
or does it also include,
you know, your input pocket device?
So, to disappoint you,
if you're like,
a borderless, doesn't actually mean borderless,
and deep perimeterisation,
doesn't mean deep perimeterisation.
But,
we're in the community industry,
we're used to words,
meaning completely opposite to,
what they say, you know,
is the usual marketing thing.
So, that's it for me.
I told you it wouldn't be too technical,
it wouldn't be too long.
But, if you've got any questions,
nobody interrupts,
I mean, which is,
well, a couple of people do.
So, if you've got any other questions,
then,
fire away.
I do think it's the way,
will it end up going,
in some ways,
it's drifting gently that way,
anyway, you know,
if you've got a chance
to actually actively do it,
well,
one thing you mentioned about
printer,
is this,
in America,
this
flight study council,
they had about 2,000
computers,
sort of viruses,
and two,
so it all came from
a line printer.
A printer?
Well, that, yeah.
Yeah.
You know, I'm saying,
how could you get to a printer
and not find the same thing,
you know?
Well, again, you know,
it's, if they've got
web servers on them,
you know, it's 10 points down there.
If they've got web servers
on them,
it's just a web server,
you know,
can you come up on this?
It's a library, for example,
and doesn't have an Australian
password set,
which means you can
upload a new firmware to it,
anyways,
which,
and if it has a capability
of operating a web server,
then,
if Daniel has a capability
of sending and receiving
your packet,
so you only have to know
that,
you know,
you have to use an
analogy, you have to use it,
and you can write your own
web server that,
instead of,
whenever something is sent
for the printer,
it read our excerpt
and sends it somewhere else.
Well, it did,
you just took a copy or foot
for your own benefit, yeah.
You know,
very harmful,
or,
you know,
that's a big,
grown-up machine,
as it were, you know,
it's,
it's not only,
for example, people,
there's,
there's HP,
and ProCon,
so they've got
a lot more ProCon
for the HTTP printer.
And you can
overwrite that,
write anything you want
to the LCD screen,
as well.
Really?
Yes.
Yeah.
I mean, these,
sort of hardware
devices,
particularly printers,
they're not,
they don't really think,
security.
You know,
how many of these routers
have you got?
You can only access
them through HTTP,
they might say you can only
do it through your local
network,
like,
it's the same vertical, for example.
Yeah.
Because they allow
a local access,
they don't allow local access
but they allow access
within something.
So that means,
as soon as you have access
to the local PC,
or even,
with the web page,
you can read our
request to the router.
Indeed.
Well, I've seen,
compromised Windows machines,
where I've watched
the Squid Log go by,
and there it is,
trying to access
all the router
default pages in passwords.
Yes, Aaron,
sort of.
You touched on
a long, crappy solution,
but,
in this context,
we're talking about
we're asking the user
to engage in a way
that they've never
asked them to engage
with before.
We've set gateways
in place of them,
and,
and almost checkpoints,
you,
that we push a truck
through here,
this will add to
your security.
We will protect you.
How do we now go about,
redefining the landscape
for them now,
and saying,
now you are in charge
of your device.
But,
and,
and I mean,
and particularly,
like, say the one
problem solution,
how do we ask,
and,
Bellman, now,
does she really
understand why this
firewall is saying what
it's saying?
Yeah, but,
you know,
it is the question
of,
I'm sorry.
No,
well, I'm really there.
Yeah,
that's a good point,
but there,
really, as I said before,
and,
I'm not trying to
answer the question,
but I think we should look
at Windows woods
in some ways,
ignore XP
and all the previous stuff.
I know it's hard to do that,
but if you look at Windows 7 now,
out of the box,
everything is switched on,
and,
and,
so is this,
and,
I was about this issue,
or is this something else?
A good point now,
I'm trying to,
yeah, yeah,
I understand what you're saying.
In some ways,
you know,
you know,
Aunty Thor is actually having to,
our Aunty Thor was actually having to do it now anyway,
you know,
if cousin Jim comes along and says,
don't you really need antivirus
and norm is really good?
She's having to do that anyway.
And,
at the moment,
there isn't any cure for that.
Otherwise, you know,
we wouldn't normally be repairing
our nagas machines
when they go on,
because let's face it,
that's more quiet from now.
How we do it,
I don't know,
as,
I know I've said,
before,
most users need a
double-a battery
and we give them a nuclear power station.
So, you know,
I haven't really got an answer to that.
But I do think,
looking at the way windows now does it,
which is where it has a building
that is just software tool,
and it has,
it seems ironic to me,
talking about windows
and learnings,
but it has,
the firewall switched off
from day one installed,
by default,
it talks about,
it does make the mistake
of talking about a local network
and a public network,
which is wronged,
but, you know,
by default,
the number of things that,
that turned on,
I think that's the only answer.
Yes.
Is the situation
going on with that?
It's not even more
extremely well represented
than that,
as you go up.
Extra services,
which are outside of the file,
but even controlled by your organization,
which you're relying on,
so, you know,
you may have,
you know,
social networking sites,
or, you know,
you see,
I write a text
and stuff,
which, you know,
it is.
Well,
obviously,
the original Jericho forum
came from the big labs,
as it were, you know,
looking at corporate control,
and they tend to have
central control.
But, the issues
that you brought up on,
usually already there,
anyway,
with the current fortress model,
but, I do know,
you mean, once you've moved me
on that,
and everyone's gone to the orderless,
how are you going to control that?
The whole sort of
dualist networks,
in any way,
it's a philosophy
to address what's actually
happening.
Yeah, yeah.
I mean, they talk about
perimeter erosion,
and that's what they're really
saying, you know,
it's a...
And, again, I guess,
though, it's like,
it seems like it's,
uh,
acknowledging that,
it cannot,
it cannot longer have,
uh,
in fact,
controlling what the whole network
can have to.
It, they talk about that.
It makes it,
controlling is going to,
you know,
policy and stuff like that.
Yeah, they,
I mean, they do use the word
policy a lot.
It's upward,
I use a lot,
because it has too many meanings,
um, they talk,
they call it end-to-end encryption,
but I would actually say,
what they're talking about is
controlling the data.
Not, not necessarily,
you think, the device.
You know, they do drift into
DRM,
it's a digital rights management,
but not very strongly,
but what they talk about is,
is it's not just about securing
the device,
but it's about securing access
to the data on the device,
um,
that being the product,
is it whether
the black hats want,
um,
which in some ways
deals with that.
But what I was also
to come away,
I think, is the idea that
it is someone's
personal machine.
I mean, like,
we have that sort of distinction
anyway,
and then we have the root,
and we have our
our users,
but usually,
distals are focused on the idea
that actually there's just one
user,
it just comes in,
it uses root,
you know,
to administer stuff.
Um,
but,
I think that will have to be
more enforced,
you know,
maybe even to the point,
where, in fact,
if you don't really
control your machine
in some ways,
it's,
Tim.
Um, I was just wondering,
I mean,
as in that matter,
above,
I was the regular
brother,
I mean, we're talking about
firewalls,
and the use of
security and the machine
within a network to,
say,
rather than having
it seen as an
internal security network,
seeing it as a
possibly
non-secure network,
and thereby,
manifesting security
procedures,
so that the machine,
if the network
isn't festive,
doesn't get festive,
but,
isn't that just,
you,
then,
the whole problem
relies on,
even,
even if you have a
secure machine,
say,
with a firewall on it,
still means that,
it's
vulnerable
to spam,
or, you know,
viruses received
via email,
and applications,
in general,
so, wouldn't that be
just application security
on top of
machine security,
on top of a network to
security?
Yes, in some way,
and you are exactly
right,
and if you go back to
the original
network and say
things, you know,
you can't block
the black hats,
so it's,
then, yeah, I agree,
but the difference is,
that you're
sort of isolating
the bad,
sell hopefully,
and, yes,
so, you still
would be
compromised.
Yes, I have the
pivot.
It doesn't do,
however,
if you've got a
monoculture
because you've
applied it across the
border with your
machines,
you're in just as much,
just as much trouble.
I mean, at the
moment,
if it all goes
horribly wrong,
it's no worse than the
current situation,
it's not really a very
positive sort of,
you know,
there's not a very
very positive approach
because once the
old-style
fortress mentality is
gone, what are we
going to do if it gets
compromised?
So, yeah, right?
The approach,
not just security
and that sort of
something.
Is there any more?
There is a bit more.
It's,
it's to do with,
I mean, I'd rather
glossed over the idea
that a lot of it
is to do with it
being transparent.
So, not only can
the user not switch it
off, but they're not
really even aware of it.
Yeah, so you don't need
to use it,
it hasn't got to use
SSH or HTPS
because it's all
actually done at the
lower, you know,
much closer to the
hardware.
Yeah.
What do you
think the level is
when it comes to the
users and control
and security, do you
think it's so much
that you don't need to
go out and tell people
all you need
anti-virus,
you need a file,
would you think it's
a file,
as far as
actually teaching people
how to use his
products
efficiently, I mean,
what do you need
to work out
in the world?
Be honest,
that if you look at
the user landscape
out there,
and in fact,
if you look at the people
who came together here
from Jericho,
you know, they
understand they use
the landscape,
which is they're
all the FUs,
and they're all
going to be,
everything's going
to be broken
unless you take away
their sharp knife
because,
and really, that's
what I mean,
it's got to be
transparent,
and I think what you have
to do with educating the
user is take away
that burden of
educating the user
completely, really.
I mean, it's
in there.
You can't nan it
but there's, you know,
there's a difference
between, I think,
I think the problem is
that the moment you give
them a nice sharp knife,
if you get a sharp knife,
you know it's sharp,
you know, you're
going to hurt yourself
and, you know,
whether or not it's
with knives,
I admit that most people
are going to be
a PC,
they don't.
So I think what you've
got to do is take away
their dangerous toys.
The problem is that
trust is keep you
more of going
and we don't try to
use it.
It is, but yeah, it is
that's a lot of trust.
But the problem is that
the other side that I
speak like Rick's talk
on freedom and control,
the other side of the coin
there is,
his apples idea of
tying down the device
and even tying down
the app store.
You know, it's not
really so much of a
commercial thing,
I think it's people
thinking,
they're going to do with
trying to make sure they
device is compromised.
It's losing battle
they've lost its
strut off, really.
But the other side of that
coin is a device
that's so controlled
and locked down
that it's not really
yours, you know,
because it's
an awkward position.
If you're talking
anything like
networks within
companies, then there's
not really, there's
anyways, because
it shouldn't be used
for any other purpose
apart from,
right?
Indeed.
It's a lot easier to
control the problem
isn't it?
The VP usually
interacts the head
of IT
and gets to bring
the Johnny's
PC in and gets to
take his home.
Then there are
other things
they've done here
which I haven't
really covered up.
One of them was
where you have a
portable device
like a network
or whatever.
What you do
is a corporation
if you like,
is you buy
and we step back
actually.
Once you can secure
a machine and come
to that point where, as
I said, the idea is
that you'd have a
machine with a
hard OS capable
of just being
dropped on the internet.
Once you achieve that
point, the idea is that
you put that out on the
internet, a mirror
of what you run
in-house, because
there isn't an
inside and outside
anymore.
Your distant devices,
which you're talking
about, the normally
partner network,
that they might get
taken home,
connect on the
internet to the same
sort of server they
will be using in-house.
And others, they're
using the cloud, as
it's now called, to
run the equipment
of what they were
running in-house,
a suitably secure
server.
So that distant
device, which the
VP takes home,
even when he's at home
or he's in secure network,
all this connection
goes out,
connections go out
to this secure
and it's never off.
Yes, because it
affect, because
there is no
outside,
there will be.
You can put your
control mechanisms
outside in the cloud
and whatever you want
to call it.
And your VP, he
will she can connect,
as if they were
still at the office.
So letting them
take the machine home is
no longer a problem.
And if that machine
they take home is also
geared to think
every network
it's hostile, then even
if little
university is completely
trojan-ridden, his
machine is still
secure.
So I didn't
have a lot of
what he really is
worth visiting the
Jericho site.
It's not a,
they're not trying to
say anything.
They've just got
these, these few
things.
Yes.
And there is a
two-fold question for
people listening
to this later on how
we system admins
are you going to think
they're going to be saying
that, that, that, that,
so you know, about
that outside of
frags and the impact
that I think you
version 6 is going to
happen.
It's not always
well,
this model of being
needed,
to have it be version
6.
How many of them are
going to say you
actually walk
correctly and you
cover IPv6?
Yes.
So I was going to,
this is, yeah, you're
right, this will.
The borderline
networking and IPv6 are
fairly intimately linked.
You know, with IPv6,
you can get away
without a DHCP
server to hand out addresses.
The thing with I give you six is, you know, I took a hit Ipsek down on that lower level.
You know, down on level three, there below, there's the soldiers or an Ipsek has built in support for it.
And for quality of service and so on.
That's also important in the quality of this network model because of major threat.
It's not talked about, it's like his denied of service.
If you've got a notion of open network that's secure, deny of service and problem.
IPv6, I think, is going to bring borderless network in whether you like it or not.
I suspect that your iPhone is going to pretty soon get an IPv6 address.
Yes, it's going to be an internet enable, that'll be it.
I suspect that your telephone probably soon is going to be an IPv6 in the UK.
The address, because BT's two zero CN or two thousand CN or 20 CN,
we're going to call it 21st century network.
Because it should be, not 20th century network, but the two thousand.
They're going to make all of your phones IP based.
Well, there's how many million households in the UK and all for a lot more than there are before.
The address is available still free.
So how would you go about doing that?
Well, you could nat it, but let's face it, you can't have a whole...
You could use the 10-0-0 range, perhaps you know, you've got 60 million numbers there,
but it's going to be a bit clunky when it comes to an IP address.
So what would you do if you're going to have telephones over IP?
You can use IPv6.
Now, once your telephones are device that's out there,
in the why, which it will be, because it's unlikely that BT you're going to say,
yeah, you can file all your telephone system,
then borders networks, they're here whether you like it or not.
You really, really don't want someone to be able to compromise your telephone.
That's quite bad news.
Before you know your mobile is compromised, but when it comes down to you, yeah.
As for how many admins we're just going to know,
this is just fractures, technical terms, system admins now,
but we've got none.
Well, you know, I must say, when I first saw this,
I thought, throw my file away,
I'd rather repeat this, slap my head in the door, thanks very much.
But when you actually look into it,
it's not really talking about that.
I do see an awful lot of difficulty as we move beyond that.
What you have to remember is that,
came in because of the National Courage of IPV for addresses,
and then has become a sort of now deemed to be, isn't it wonderful,
but it was only a stopgap, really.
It does work reasonably well,
but it actually leads to that false sense of security in some ways.
If you see a local address, it must therefore be on my network.
Therefore, it's such that it's not a chain of reason
and you should really be following these guys out.
That's the technical trainers,
and I would say that it's a security benefit behind that.
That's the one.
Well, I can see initially why you would say something,
but that's the truth.
The problem is, I think, is that the film was very quickly
and what might have been true 10 years ago,
the physical problem wasn't there,
but it might be thought of as true generally,
it just really isn't there anymore.
I don't see where one can end.
As you say, the whole view of the internal external network
and then moving away from this idea of having one boarder
or DMZ.
Where would one stop?
Does one stop just machine level?
Was it just continuous until you made sure that
no application ever used can access everything you should have?
Yeah.
It's the best answer to that.
Well, an application is really an app proxy for the user.
You don't want the user to go everywhere, really.
If you view the application's acting on behalf of the user,
which is what you would have done.
Well, why didn't you have a question?
I do actually think that's the way.
I mean, once you start with, well,
my communications needs to be secure.
You then start thinking, as I said,
it's about securing the data.
You then think, well, surely my application needs to be secure.
If an application can't trust the other host,
which it shouldn't, then yeah, that should be secure.
And then you go to the point of all the surely then,
if I can't trust anyone accessing that application,
unless I've got the credentials or whatever,
then I should really secure the data as well.
So yeah, I do think at the moment, the perimeter,
it actually has to come inside the machine in effect.
It's got to come beyond the adapter.
You have the host in the adapter.
It's got to come into the adapter, which is roughly where it is now,
into the host, and then right down into the data.
You know, the secure,
the secure operating systems, if you like,
that have to be validated.
Really work that way.
You know, the granularity is very fine,
of what you can and cannot touch.
So yes, I think we all end up as, you know,
machines, if the machine's going to be in an extension
of you wanting to be as secure as you live,
quite frankly, you know,
certain exceptions in this room, obviously.
But you know, you want it to be as secure as something inside your body,
really, and that does mean a really security all the way here.
Oh, and in the future,
it might be the fact that, you know,
it brings a pure end to the data.
Well, you know, you're an interface,
and someone hacks it, you're really an internal object.
That's face it, if you wake up naked,
having feathers and greets you.
At the senior, you're really going to want to know how that happens.
I've always been sorry with you, though.
All right, any of us?
No, well, thanks very much.
Hope you enjoyed it.
Thank you.
Thank you for listening to Hack with Public Radio.
HPR is sponsored by Carol.net.
So head on over to C-A-R-O.N-T
and all the other things.
Thank you very much.