Volume 2 , Number 10
Nov , 1997
Stamp Out Network Security
by Pelican Smith
We are building an economy based on the religion of intellectual property.
- Whitfield Diffie, Inventor of public key cryptography
My work sent me to Networld+Interop this year to attend a security
symposium, find out what nifty new hardware was going to be available
soon, and score free T-shirts (OK, that last item was my own ulterior
motive). I just got back from Atlanta and my bags aren't even unpacked,
but I had to rush to my computer to submit this month's Tales of the Geek Lord, and let you all know
something amazing:
Security is dead.
Once upon a time, a long, long time ago, a geek at MIT and a geek at
UCLA convinced their mainframe computers to talk to each other across
phone lines, using a nifty new concept in data transfer known as "packet
switching". These two geeks knew each other well, and trusted one another.
They anticipated problems, and bad data, and network failures, and silly
mistakes, and they would deal with these problems as they arose, as
distinguished engineers tend to do. But they never anticipated hostile
actions, or petty angst, or backstabbing capitalists, or corporate
espionage, or bored high school kids, or streaming video, or America
Online, or even the worst thing to be drifting around the Internet these
days: Security professionals.
Best effect would come from me now saying "I, yes I, am a security
professional!", but that's not quite true. I do a lot of work with
our own security team, and I have traveled to a few sites to help
them improve their network security, but I tend to work more in
design, installation and support. Security is just part of the overall
equation. In my job, you have to keep a positive attitude, or else you
wind up making excuses and falling way behind in your work.
Just like security professionals.
Security pros are as varied as everyone else on the Internet. There
are firewall vendors, consultants, reformed hackers, and hundreds
and hundreds of clueless morons out to make a buck. Security has
become a buzzword, like "Extranets", or "Stateful". The only difference
is that the security buzzword has been passed around regularly since
the Internet Worm incident in 1988.
Why do I have such bad things to say about our brethren, the security
folks? Here's the top reasons:
- They lie. This item is worth a few subtopics. Here are the
most spoken lies:
- All you need is a firewall. You can also substitute the word "cryptography" for firewall, and get the same basic lie. What they are telling you with a comment like this, is that a network can be secured with one magic, silver bullet. To keep it basic, firewalls can be circumnavigated, through internal modems or data masquerading. Cryptography works from point to point, but there is no guarantee that the text is not being recorded and rebroadcast after it leaves its last encrypted hop.
- You don't need a firewall. Oh yes, my son. You do. If you run even a very small network, with only a few servers on it, then you already have too much work to do. Recording and analyzing all traffic on your network is sure to be more work than you can possibly do, and still go about the business of providing what your network exists to provide anyway. A firewall, if nothing else, will enforce your basic rules of usage, and prevent a good 90 percent of intrusion attempts.
- There are thousands and thousands of serious hackers out there. This lie exists to give you the impression that you have hired your security professional in the nick of time, because at this moment some wiz kid with years of programming experience is preparing himself to invade your network, and put graffiti of a disparaging nature all over your web site. To borrow a quote from Jeffrey Schiller, the network administrator for MIT, "Clue remains a constant". 10 years ago, there were about 100 people who really had administrative control over the way the Internet was ran, and there were about 1000 people who really understood how the Internet works. Despite the recent growth in Internet usage, those numbers have remained closely constant. A hacker isn't worth a damn unless he truly understands the way things work, and of the 1000 people out there who understand the net, most of them are dedicated to keeping it working. The few real hackers out there who are up to no good are probably not interested in your web site. They have other things to do, like publish books on how to be a hacker, or avoid the bull rapist in the prison yard.
- I used to be a dangerous hacker. This may not be a complete lie, depending on your definition of "dangerous hacker". Most people who tell you this are really saying they used to download hacker files off of the Internet, or they spent a lot of time on #hack channels.
- They have given up. Security is a tough job. There are fundamental vulnerabilities with every level of internetworking. The applications you load on your computer were driven by "time to market" considerations, not secure communications. Security professionals have to deal with impossible guidelines and shrinking budgets. In other words, they have the same problems you do. The difference is they are not responding to these problems. You can spend thousands of dollars on a security solution, and be left with the promise that "You are never completely secure". Too many security people use this concept to justify only going through the motions, saying the same old things over and over, and then letting the blame fall on you if you do not follow their instructions to the letter.
- They never cared about you anyway. Cynicism runs deep in security circles. So does hatred for their customers, whom they view as stupid, petty and completely unreasonable. As a security person is speaking to you, in the backs of their minds they have alrea