Marcus J Ranum is one of the most famous engineers to ever turn his attention to IT security. He is known as the creator of the firewall and has authored – among other things – DEC SEAL, TIS Gauntlet and the TIS Internet Firewall Toolkit. In this exclusive email interview, ahead of the InfoSecurity 2003 show in Milan, he talks about Microsoft, hackers and the whether users have learnt any lessons…
What is the future of security? What challenges we will have to face? Do you foresee radical changes in the architecture of security systems?
I think computer security is a very new field, really – and it’s one we don’t appear to understand very well. Unlike engineering sciences where we have learned how to construct solid systems with plenty of overhead and conservative design, we haven’t figured out how to cope with the inherent complexity of software.
For example, Microsoft used to brag that Windows was 50+ million lines of code. That makes Windows one of the most complicated things people have ever built. Why do we expect flawless security out of such a system? So the future will go one of three paths: – A return to simpler systems (unlikely but to me the most technically feasible) – Some kind of means of managing all the complexity (hard to accomplish and will require new things we haven’t invented yet) – The situation will remain the same.
How will the integration between different security systems and products go? Will we continue to have separate components or will everything work together?
Everything _SHOULD_ be integrated but it probably won’t. Right now the way people think about integrating a system is to buy a firewall from over here, an IDS from there, a VPN from here and glue them together to make them work. To do it right, we’d need a completely seamless integration – right now the only company that even appears to know how to do that kind of thing is Microsoft. But even Microsoft’s integration hides lots of ugly little coding stuff behind the nice seamless interface.
To do it right someone would need to start a new company to build a firewall/IDS/VPN/host IDS/host integrity checker/anti-virus system/encryption system/ and secure web server from scratch – all designed to work together under a common management interface. THAT is hard, and it’d take a lot of money.
On top of that, customers already have installed systems they’d be reluctant to just take out and replace. So I don’t think that a completely integrated security system will happen unless it’s so compelling customers will be willing to throw away their existing investments in software. I don’t see that happening any time soon, do you?
Many vendors say a firewall is not enough. What future developments do you foresee with this kind of product?
Have you noticed that usually the vendors saying "a firewall is not enough" are selling you something that goes on in addition to your firewall? It’s a funny coincidence, no? ;) What’s sad to me is that firewalls could _ALMOST_ be enough except that the vision of firewall designers ended with ‘fast packet inspection’ and never went further. The only reason we have an intrusion detection product market at all is because the firewall vendors were too busy selling firewalls to think to add intrusion detection abilities to them. And they were too afraid of slowing their products down and losing customers in benchmarks. Firewalls have embraced doing VPNs pretty effectively. Why they aren’t doing content scanning, anti-virus, intrusion detection and honeypots is really a mystery to me.
How do you think future developments in operating systems will affect security problems? Do you see a prevalence of Windows or Linux or traditional Unix for security systems?
I don’t think operating systems make much difference. Both Windows and Unix have powerful abilities to enforce security restrictions on applications. But everyone leaves them turned off or application writers don’t take advantage of them – or actually require them to be disabled. So I don’t think operating systems will make much difference as long as you get ‘turn off your anti-virus product while installing this program’ is the norm.
How much did 11 September influence security issues and technologies?
Not much, really. There has been a lot of hype but very little actual change.
What do you think of the ethical hacker community?
There’s no such thing as an ‘ethical hacker’ – that’s like saying ‘ethical rapist’ – it’s a contradiction in terms. The situation is that in the late 1990s a lot of the hackers realised that they could cash in and make big $$$ by using their skills for legitimate purposes. That’s basically a scam, because there have always been legitimate security practitioners that were as skilled (usually more skilled) than the hackers. But the hackers did a good job of trading off of their underground chic and made a ton of money. It’s really just marketing. I can’t blame someone for wanting to cash in and I guess it’s better to have these guys working honest jobs than out causing trouble. What bugs me are the ‘ethical hackers’ that are working as ‘security practitioners’ and who are _STILL_ out there writing and distributing hacking tools and actually helping cause the problem they are making money trying to prevent. That’s just unethical.
Is there a particular project you are working on now?
These days I am working as a consultant on a number of important and interesting projects, and am also getting interested in security log analysis. I’ve just updated a website on log analysis (http://www.loganalysis.org) and have been writing tools for forensic log processing. It’s an interesting project because sometimes you’re dealing with large amounts of data and need to process them very rapidly. Trying to find a single possible attack in 422 million log records (a real project I was just working on) is a challenge at many levels. It keeps my life from getting boring. :)
Marcus J Ranum was interviewed by Alberto D’Ottavi, editor-in-chief ZDNet Italia. Ranum will be giving a keynote speech entitled ’15 years in the computer security industry’ at InfoSecurity 2003, to be held in Milan, 12-14 February.