Probably every organization has some type of firewall. Can we comfortably say that the perimeter is as secure as...
it can be? No, actually it's getting worse. The first generation of firewalls worked fairly well because you were only letting a small number of fairly well-specified application protocols through them. Today's firewalls have to deal with letting back and forth these undocumented, proprietary protocols written by some kid as their weekend project, or by some company trying to make a quick million dollars and throw some application over the fence. Those are not specified at all, yet they're deemed business-critical so they're being punched right through the firewall. What enhancements or new types of firewalls are emerging to address this? The obvious trend is to combine all boundary security processing capabilities into a single device. Very early on firewalls subsumed VPN concentrators, so they became a firewall VPN endpoint. Now they've added signature processing capabilities from intrusion detection systems, and now they call it intrusion prevention. I think that down the road we're going to see firewalls that embrace more content filtering, so they'll be spam blocking, and Trojan horse blocking, and voice-over-IP spam blocking. But as far as a runway for adding some fundamental new breakthrough for firewalls, I don't see that happening. Like I said earlier, the firewall situation is getting worse because there's more complicated protocols going through them. The only thing that would make our firewalls good again would be if we took at step back and said, "You know, doing remote procedure calls over encrypted http links is really difficult to secure; let's stop doing that." I don't see that happening. It's market pressure.
|Marcus J. Ranum, inventor of proxy firewall|
You've got customers having stuff marketed to them that isn't ready for primetime. The best example would be wireless security. People now are realizing that they've got these gigantic wireless deployments that are a security disaster. Any technologist who had had his brain turned on would've realized this is something we needed to think about, but the technology wasn't there. The vendors didn't provide that as a core feature in the product set because the customers weren't saying, "We're not going to buy this until you provide it."
The real answer -- it's what the old school security practitioners have been saying all along -- is you have to understand what's going on on your network, period. And what's going on on your network has to be coupled to your business mission. It's got to be absolutely the minimum amount of stuff that's going to let you accomplish your mission. If that means people can't surf the Web from their desktops, so be it. If you had a corporation where the only connection was one that allowed e-mail back and forth, you would have a lot fewer security problems. Even if you just said no e-mail with attachments, you've blown away most of the problem there.A recent Forrester Research study found almost 50% of organizations plan to invest in personal firewalls for client computers. Is this the next frontier in firewalls?
I see it as a good sign, but I'm not convinced how much it's going to actually help. There's this dirty, huge secret in computer security that the entire industry has been ignoring for the last 10 years. It's the problem of transitive trust, which basically says that if I trust you and you trust Bob, implicitly I trust Bob and I don't even know it. In fact, implicitly I trust everyone that you're trusting and I don't even know it. And so a lot of these Web applications and online applications are assuming that the endpoint computer has some kind of security -- it's just kind of being left as an exercise to the end user. That's not a very good assumption. Web application firewalls are an emerging category. Do organizations need them?
The Web application firewall is a return to the philosophy of the application-aware proxy, and I think that's a decent idea. That's something I kind of invented. The idea was that it would mediate your application's protocol between two networks, and in the process of mediating it would do protocol correction verification and it would also disallow dangerous operations if it knew what dangerous operations were, even turn those on and off by policy, and so forth. I don't think most of the Web application firewalls out there today do that level of detail. I think a lot of them know what code red looks like, and they allow you to whitelist and blacklist different URLs, and that's great to be able to do that.
But what we really need is to be able to make strong statements that the data we're allowing back and forth into our networks is correctly structured. If you can state accurately what "correctly structured" means, then you leave malware out of the definition, and you've solved a vast numbers of problems. I don't think that's being done, because in order to write something that is going to that level of content checking, you need a specification for what the protocol looks like that is correct, and most of these protocols are being revised every 24 minutes.
One of the premises of Web application development is that you can write your own new business-critical protocol in under an hour. How can you possibly be reasoning about what the correct behavior of that protocol is? Frankly, the computer security industry most closely represents the diet food industry. All these people are clamoring to sell all of these solutions, and their premise is all the same: If you do what we're telling you, you can eat a gallon of Ben & Jerry's [ice cream] every day and not get fat. The way that translates to security is we've got all of these firewalls and intrusion prevention systems and antivirus systems and desktop firewalls and what they're basically saying is, you can do dangerous things using badly designed software in safety.Is application security the next battleground?
That's crucial, and that's one of the reasons a bunch of us have banging the drum about that for a long time. If you start looking at how to do software security, the answers all come back to: You have to design your application before you code it. You have to understand your problem before you start shipping software. Software needs to become an engineering discipline approached by mature professionals -- not by rapid application development code monkeys fueled to the eyeballs with Jolt cola being given ridiculous deadlines by managers who don't understand what software does. You sit on the board of Fortify Software. Are these newer types of automated tools to test application security working?
One of things that the Fortify tool will do is it will walk through your entire application and track the usage of components and data in the system and red flag areas where there's dangerous usage and red flag what appears to be the usual mistakes being made. It's an extra set of eyes looking over the programmer's shoulder. But when you get a development team using a tool like Fortify, they wind up getting religion about security very quickly. They say, "Wow, our software's just riddled with security holes." And then they start fixing it, and that gives you the opportunity to come in and talk about how your design can be improved, so that these problems are not endemic to your system. The sad truth is, the software development world has been doing it wrong and making so much money doing it wrong for a long time that producing a sea change is going to be very difficult.
It's still very early in the history of computing. We've been computing for 50 years or so. Look at most areas of science. You have to go through this period where everybody is trying to build perpetual motion machines, until reality settles in. And I think that's a lot of what's going on with computing right now. The reality of how important this stuff is just hasn't settled in.
Marcus J. Ranum, a world-renowned expert on security system design and implementation, is chief of security at Tenable Security Inc. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer to founder and CEO of NFR. He has served as a consultant to many Fortune 500 firms and national governments.