Few security measures are as ubiquitous as the network
firewall.
Marcus Ranum, the creator of the proxy firewall, doesn’t think that
an invention of the same stature will emerge in the foreseeable future,
though there is still plenty of room for IT security improvement.
Among Ranum’s numerous security products and initiatives over the last two
decades is the implementation of the first
commercial firewall, the Gauntlet firewall and the TIS firewall toolkit.
Ranum is currently the Chief Security Officer at Tenable Network Security,
which is known for its Nessus vulnerability scanner which was recently close sourced. He also is a technology adviser to numerous startups, including
Fortify, which aims to improve application security through code analysis
and correction.
Internetnews.com recently had the opportunity to chat with Ranum
about the current IT security-threat landscape.
Q: Is there a greater risk from operating systems vulnerabilities or from
applications?
Most of the statistics I’ve ever seen about platform vulnerability
are so heavily weighted by what the person who is doing the
statistic wants to show. So you’ve either got the studies funded by
Microsoft that make Microsoft look better, or you’ve got the studies that
were done by the open source developers to show that Linux is better.
The really important point is that both Windows and Unix/Linux platforms is
that the apps are place that are generally under attack.
If you’re fielding an e-banking application or something like that, you’re
going to stick a firewall in front of it. The firewall is going to take away
all of the vulnerability issues except for the stuff that you’re carrying
back and forth to your customer that you have to expose as part of letting
them talk to your application in the first place.
The main place for the firewall play is taking away all the operating system-specific stuff, but then you still have the question of whether the guy that
wrote the mass of code knew what he was doing.
Q: There is a trend among firewall vendors today toward unified thread
management capabilities that defend against all manner of malware. Is that a
positive trend? And does it actually help application security to any
degree?
It’s absolutely a good thing. It’s kind of ridiculous that in 2006 we have
security products that are separate from networking products, separate from
network-management products. They’re all joined at the hip and should have
been the same capability all along.
It’s nice to see that you can buy a product that will block what are
obviously worms crossing your backbone network.
The big problem with apps is that the layer 7 stuff they put into
firewalls is coded to detect and block well-known attacks. The stuff that
we see that causes trouble in attacks is when someone develops an attack
that is specifically coded to a target application. I don’t see the firewall
vendors being able to build blocks against custom applications.
If you’re going to stick that application out there, especially if it’s
e-commerce, much of the traffic will be encrypted anyway with SSL stuff. The
firewall can’t do anything. The application has to be strong enough to
withstand the attack by itself.
Q: How can end users protect themselves against application vulnerabilities?
There is really nothing end users can do.
Part of the beauty and the curse of the Web software-delivery model is that
all the stuff happens at the back-end server, and you’re front-end
device is running very limited amounts of code in the form of a Java applet
or whatever; but almost all of the interesting processing is happening at
the back end.
Users expect the software to be secure. They start with the assumption that
the software they are using doesn’t suck and they’re surprised when they
find out that it does.
Q: What do you see as the single biggest threat to IT security today?
Fundamentally the entire computing community is a victim in this situation,
so you can never lay any of the blame for any of this on anyone but the
hackers.
If there were no hackers, there wouldn’t be any security problems.
That’s kind of a tongue-in-cheek answer because there are always going to be
hackers and there will always be criminals.
There are a lot of places where application security is deadly, because
the vulnerabilities are customized for the apps and the bad guys are going
after these really important apps. If they manage to score a hit, they score
these incredibly damaging attacks.
Then on the other side you have the vulnerability searchers who are looking
for high-propagation common attacks. Buffer overflows and things like that.
For them the leverage is not that they attack a single target that puts
millions at risk; they’re trying to attack millions of different targets.
There are almost two completely different dimensions as to how this thing
represents itself. I think both of them are really horrible. It would be
hard for me to say which one is more horrible.
Q: Is open source an ally of the security professional or an opponent?
I think that open source is a wash. I think that the professional software
companies that are really developing stuff have teams of organized grown ups
working on code, and in a lot of cases turn out better code.
The
“many eyes” philosophy of open source coding makes about as much sense as the
“many monkeys approach” to producing Shakespeare.
Having many eyes — if they were all harnessed under team leaders and structure — makes a whole lot of sense. But the review of code as it
happens in the open source movement is that it’s largely random and
uncoordinated and the quality of the people doing the reviews is extremely
variable.
Q: Is there still the possibility out there for another “big” innovation of
the same stature of the firewall? Or has everything already been done and
now it’s just a matter of additional features and functions?
My role in the early days of the firewall was that there were all of these
really good ideas for border gateways. People were calling them all kinds of
things, and there were all these good ideas floating a around. I stole
some and I cleaned some up, polished them and welded them together into this
idea that turned out to define a commercial product. I think that what’s
going to wind up happening.
There are lots of ideas that come along all the time, and when you dig at you
realize that, “oh that’s just a trusted systems access control bit brought
forward into today’s nomenclature.”
There are guys out there that are doing XML security gateways; well that’s
really just a proxy firewall brought forward to today’s networking
protocols.
I think in all areas of intellectual endeavor, if you generalize things
broadly enough, you’ll realize that Plato the Greek thought of them all.
I think probably all the great ideas in computer security were had
back in the 60s or 70s.
The biggest invention that we need to have is we need to bring scientific
methods forward into computing as a whole.
There are a lot of really great ideas from the past that need to be brought
forward, but I don’t think there is going to be any great new whiz bangs.
Unless somebody is able to solve the hard form of artificial intelligence
process and produce a real machine intelligence, I don’t think we’re going to
see any breakthroughs.
