Explaining The Monty Hall Math Puzzle

Let me start by stating that much of what I’m about to cover was seeded by a
wonderful talk I heard by
Marcus Ranum
back in 2003. Since then I’ve been sort of mulling everything over, and here
are the basic ideas:

From Marcus’s talk:

1. Q: What does a packet filter do?A: Looks at a few parts of packet
   headers and decides if it is bad. If it is, it drops it.

2. Q: What does a stateful firewall do?A: Looks at a more of a
   packet and decides if it’s bad. It uses the loose concept of “state” to
   help it. If it’s deemed inappropriate, it gets discarded.

3. Q: What does an IDS do?A: Looks at a bunch of stuff in the packet
   and decides if it’s bad or not based on signatures and/or some
   heuristics. If it’s bad, it notifies you.

4. Q: What does an IPS do?A: Looks at a bunch of stuff in the packet
   and decides if it’s bad or not based on signatures and/or some
   heuristics. If it’s bad, it drops the traffic and/or notifies you.

(Here I’m going off on my own tangent so I’ll leave Marcus out of this)

So, ultimately there’s very little difference between a rudimentary packet
filter from 10 years ago and a modern IPS. I see all these devices becoming
one; I think a good name would be a “Security Check Point”, or a security
“Gateway”.

The point is that in the future you won’t have to isolate these different
technologies. You’ll just lay down a diagram of your environment and decide
where you want filtering. Virtually every device on your network will be
able to do all of these functions. All the way from the border router to the
workstation.

This is the next evolution in the security space, I think. It’s even more
advanced than NAC. Essentially, all pivot points and end hosts in the
enterprise are part of the collective. The SIM/SEM functions as the brain.
If there are performance issues then one type of security or another can be
disabled on various pivots as needed, but in general all pivots will be able
to perform all functions.

When an incident occurs, the system will simply isolate the problem by
implementing ACLs on the nearest pivot point. If it wanted to, it could even
push security information down to all other systems in the enterprise. To
the security system, routers, firewalls, workstations, servers — they’re all
the same. They’re just security nodes with various properties. Imagine
object-oriented programming.

Using this model a security engineer could look at their network and simply
assign logical security zones based on trust. The software would do the
rest. The hardware at that point becomes transparent. It’s just carrying out
the conceptual wishes of the engineer. I imagine an interface like the one
in Minority Report, with a large view of the network infrastructure being
displayed:

So basically, you design how you want it to work, and the devices
just make it happen. There’s no need for this kind of firewall or that kind
of IDS — all security devices will merge into one — with each of them being
able to do all filtering. The only reason they were separate was because
they came into existence independently and there were performance issues. As
these issues fade away there will be no reason whatsover to keep their
functions separate.

Anyway, just a few thoughts…

[ UPDATE: The way I’d characterize it now in 2015 is that all security
filters do two things: look for something, and take an action. Whether it’s
a router or a layer 15 cross-port heuristic AI platform, that’s all we’re
doing. We just get better at doing one or both of those things. ]