alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Wed Jul 13, 2005 12:53 am Post subject: Interview with a security professional - Marcus Ranum |
|
|
Continuing with our series of “Interview with a security professional” I am very happy to announce that Marcus Ranum one of the computer security pioneers has generously contributed his time to answer some questions for us.
Question
Do you feel that f/w technology in the past couple of decades has undergone any radical transformations. Specifically as it really has always really dealt with the NDIS and TDI layer?
Marcus’s Answer
Firewalls are pretty much the same thing as they were back in the early days. I'd say that NDIS or TDI are "implementation details" of how the firewall interposes itself in the data stream - whether the firewall is a device driver, a routine in the operating system, or a piece of code running in a switch or appliance, they pretty much all do the same thing.
Where it gets interesting is when you look at what a given firewall does when it starts looking at more than just packet headers. Back in the old days firewalls were either "packet filters" or "application layer gateways" - and the packet filters won out because they were easier to use, more permissive (hence, more attractive), and perceived to be faster. Packet filter firewalls keep evolving more and now they keep a fair amount of network connection state information - hence the marketing term "stateful firewall" or smart packet filter. Application layer firewalls keep getting re-discovered every couple years; first as a spam blocking gateway, then as a "web firewall" or whatever. But the basics are the same and remain the same: PERMIT or DENY. How you do it is where the details come in.
Question
Do you feel that an IDS or IPS really complements a f/w?
Marcus’s Answer
IDS, as it was originally conceived, was sound engineering design: let's detect failures and policy violations on our system. If you generalize that up to a network, then the obvious place to put your IDS is at the firewall, looking for firewall failures or policy violations. So far, so good.
Unfortunately, most people's firewall rules are ridiculously permissive. Most networks allow way too much garbage back and forth and it's pretty much impossible to actually do it securely. Then a funny thing happened: IDS were seen as being too "noisy" or unreliable because they were constantly generating alerts. My take on it is that a lot of the alerts were justified, but it annoyed the hell out of customers who had installed IDS to tell them "everything is just fine, be happy." So what happens when you combine firewalls that are letting too much through with IDS that generate too many alerts and are perceived as unreliable: "Intrusion Prevention Systems."
The basic concept of IPS is attractive (which is why marketing people carefully chose the name) but it's basically flawed. Most of the first generation IPS were not much more, and often less, sophisticated than a switch running Snort with connection-dropping rules instead of alert rules. The appearance of IPS caused all the IDS vendors and firewall vendors to re-brand their products to catch the "new wave" but basically they're all doing the same thing. I see IPS as "an IDS that evolved into a fail-open firewall." The new hot topic is "deep packet inspection firewalls" which are basically firewalls that include some IDS signatures. At least they aren't fail-open. I hope not, anyhow.
It's very hard to keep track of what anything is called anymore, as the marketing people keep struggling to come up with snazzy new terms for the same ideas we had back in the late 80's. Basically, the speeds and feeds, and depth of logic have changed, but there's not a lot that's new or interesting going on.
Well, wait - let me amend that. The one thing that is old firewalls used to have 2 options: PERMIT and DENY. With an IPS or a DPI or whatever you want to call it, now there are 3 options: PERMIT, DENY, PERMIT AS LONG AS IT IS NOT OBVIOUSLY HOSTILE. That latter option does make sense to have if you're hooking a network to a business partner and want a high degree of access with them but want to somewhat reduce the risk.
I get scared by the IPS and DPI hype because customers are going to buy these things because they really look great on paper. But if you read even the vendors' glossy brochures they admit that they only know how to detect and block a few hundred (or dozen!) attacks on a dozen or fewer application protocols. That's really lame. Basically, these are a good technology for shooting down worms like CodeRed or Slammer that announce their presence with trumpets and a parade, but they're not going to work against future attacks or harder to categorize attacks like some types of recon tools. If IT managers want to shoot down well-known worms, they shouldn't throw a lot of money into IPS or DPI they should build networks that aren't trivial for even simple worms to knock over.
Question
The ever present argument of ASIC vs FPGA is always a contentious one. Where would you weigh in?
Marcus’s Answer
I don't care. ASIC/FPGA/general purpose processor is a debate about performance. Security is not a performance problem. Yes, security and performance are inter-related. It appears that the more inspection, error-checking, attack detection, application modelling, and state tracking that you do, the slower you are likely to be. It stands then to reason that the faster systems do less checking. And that's where hardware comes in: the idea is to do the same amount of checking at higher speeds using hardware accelerators. Unfortunately, I don't think that hardware accelerators help a whole lot - because when you get into doing complex checks that involve things like signatures, TCP reassembly, fragment eordering, and reassembly, or long-term statistics such as you might use to detect some kinds of anomalies - you're bumping up against the limits of what can be meaningfully accelerated by hardware.
Hardware also doesn't change very fast/easily. We're in an environment where the bad guys' techniques change fast and easily, so being burned into silicon may not be an advantage. Of course you can reprogram some hardware accelerators - in which case you're just talking about software being loaded into custom silicon, which is not a whole lot different from software being loaded into silicon from Intel.
Question
Do you believe that Microsoft's hacker bounty program will work? So far no one has publicly admitted to it working.
Marcus’s Answer
Well, it depends what you mean by "work" If you mean "work" as in "reduce the number of hackers" I think it's safe to say that it's a failure. In fact if you look at the rate of security problems across the industry, virtually everything that we have been doing is largely a failure. If, however, you interpret "work" to mean "good marketing to show that Microsoft is serious about computer security" I think it worked very well. Public perception is that Microsoft is serious about security and is putting a huge amount of effort into producing more secure systems.
The hacker bounty program that'd be most likely to work would be if the extortionist-hackers who were DDOS'ing UK gambling websites were to try that on some Russian mafia-owned websites. They'd be fishing dead hackers out of ponds all over Europe. It'll be interesting to watch the evolution of the relationship between organized crime and hackers. I think the hackers have no idea how dangerous a game they are playing.
Question
What do you think of Microsoft’s Honey Monkey project?
Marcus’s Answer
I have always thought that production honeypots are a great idea. Research ones are, too, but they're a LOT of work and I don't have a great deal of interest in the social lives of hackers. What Microsoft is doing is a clever extension of the honeypot concept - making it actively go out and look for new forms of malware is a great idea. It's a clever way of exploiting one of the most powerful and subtle security techniques: establishing a known baseline, doing something or letting something happen, and then checking for unexplained variations from the known baseline. It's a useful tool for Microsoft to have in their toolbag, but it's just a piece of the puzzle. In other words, it's clever, but it's not going to make Microsoft's products better or more resistant to malware, except indirectly as a result of what they learn from it.
Fundamentally, the way to build systems that are resistant to malware is not to get smarter about how we collect malware and learn about it, it's to design systems that aren't susceptible to malware from the get-go. Unfortunately, doing that would take a lot of work and more systems/design talent than Microsoft appears to have access to. It would also entail massive changes in how applications are written, which means "it's not going to happen" because of the gigantic momentum of the current installed base.
Question
When it comes to outbound filtering and the firewall, too many people don't implement it. Would you have a few "set outbound policies" that you would always advise people to do?
Marcus’s Answer
I think most people would consider my views in this matter to be extreme; time will tell! I think most firewall rules are _ridiculously_ over-permissive. In fact, if I were running an organization that had real security requirements, my firewall would not allow any direct outgoing connectivity whatsoever. All incoming Email would go through an attachment stripper that would isolate attachments onto a separate server where they could be downloaded via an SSL-authenticated link by the user, and that server would have some antivirus/antimalware engine installed. Attachment usage (in and out) would be closely audited on a per-user basis.
All web surfing would be through a proxy server, which would carefully log and track usage rates by user, and report surfing time-spent to group supervisors. All attempted direct outbound traffic would be blackholed onto a honeynet where an instance of honeyd would reply and log the attempt, destination, and service port for analysis. I'd also have internal filtering rules on the backbone routers/switches to restrict certain services to well-known servers. For example, the local or enterprise IMAP servers would be the only machines that could accept port 25 connections, and only well-known web servers could accept port 80 from outside of their subnets.
Sounds extreme, doesn't it? But in return, I'd promise a network that was virtually free of computer security problems, almost certainly free of worms and viruses, and largely free of time-wasting Internet games, chats, and porn. What blows my mind about the way many organizations practice information security is that they are willing to bear virtually ANY expense in order to avoid having to tell users "no, you can't do that." Rather than build networks that are worm-proof and intrusion resistant, corporate IT professionals follow the herd instinct and build networks that have zero failure-resilience, based on toy operating systems and software, and then throw massive amounts of money and time into patching them and cleaning them up after they get broken into.
Question
Were you to recommend two programming languages to our members to learn, which would they be, and why?
Marcus’s Answer
Some compiled language that encourages detail-oriented thinking, and some interpreted scripting language that allows rapid prototyping. I suppose that today the best candidates for that combination would be C and Java.
Motivation for my suggestions? If you don't understand how a language like C and the underlying processor/OS interact, you can never write fast, efficient code. On the other hand, once you've learned how to write fast, efficient code, then you can actually write useful "quickie hacks" in scripting languages, without producing bloated, slow garbage.
There's too much bloated, slow garbage out there. And it's because the current ideology is "everyone can be a programmer - even if they don't know how!" So you've got folks writing mission-critical apps using programmable middleware and they barely understand how to write code that works, let alone code that's reliable, secure, efficient, or fast.
Question
Lastly, do you have any words of advice for people who are seeking professional certification? Not necessarily only firewall certs, but certs in general? These certs sadly have almost become a must-have for many seeking employemnt.
Marcus’s Answer
Certificates are a poor substitute for accomplishment. When you run across a hiring manager that's fixated on a certification, basically it means that they are too lazy to understand the real expertise requirements for the position they are trying to fill. "Hey, I know, rather than trying to figure out how to tell what a real security expert knows how to do, let's rely on someone else's assessment of appropriate expertise!" Sounds kind of stupid, if you look at it that way, doesn't it?
Whenever someone asks for advice on how to further their career, I like to paraphrase Doc Edgerton's famous advice: "Work like hell, tell everyone everything you know, close a deal with a handshake, and have fun" If you want to make a mark on the industry where you work, do your best to push it forward a few inches and don't be ashamed to take credit for your work, if you do. I know people who spend weeks and weeks trying to get certifications and whatnot - but they'd get more "bang for the buck" professionally if they spent the same amount of time, identified an interesting problem in their field, kicked its ass, taught everyone how they did it, published a paper on how to do it, and maybe wrote a book on the topic. The publishing industry is always desperate for timely books on interesting topics and putting on your resume that you're the author of a well-regarded book on blahblahblah is going to count more than having some jumble of letters after your name. Besides, if you're out there breaking new ground and doing cool stuff, the guys pursuing certifications will be having you learn *YOUR* stuff in order to pass their exams.
I always try to encourage the younger guys and gals to go out and solve real problems for real people; it's the best thing you can have on your resume. When I used to be a hiring manager, if I had 2 resumes, one of which read "Bob X, certified whatever" and the other "Anne Z, who set up a secure internet gateway for a local old folks' home as a weekends and evenings project, including setting up anti-spam filtering and secure web-mail and chat" guess which got the job offer?
The way to build credibility in any industry is by having concrete accomplishments that are referenceable. I hope it's news to you, but some people actually lie on their resumes. How many hiring managers actually check to see if someone's claimed credentials are for real? Lots of HR people take the easy/lazy way out and assume the candidate is telling the truth. When you send in a resume that contains specific claims it's a lot easier to verify that they're true.
On behalf of the membership and myself I would like to extend a big thank you to Marcus Ranum for his time. It is always great to get answers from someone as talented, and dedicated, as Marcus.
This interview is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Last edited by alt.don on Thu Dec 15, 2005 11:05 pm; edited 4 times in total |
|