RealTime IT News

Marcus Ranum, CSO, Tenable Network Security

Few security measures are as ubiquitous as the network firewall.

Marcus Ranum, the creator of the proxy firewall, doesn't think that an invention of the same stature will emerge in the foreseeable future, though there is still plenty of room for IT security improvement.

Among Ranum's numerous security products and initiatives over the last two decades is the implementation of the first commercial firewall, the Gauntlet firewall and the TIS firewall toolkit.

Ranum is currently the Chief Security Officer at Tenable Network Security, which is known for its Nessus vulnerability scanner which was recently close sourced. He also is a technology adviser to numerous startups, including Fortify, which aims to improve application security through code analysis and correction.

Internetnews.com recently had the opportunity to chat with Ranum about the current IT security-threat landscape.

Q: Is there a greater risk from operating systems vulnerabilities or from applications?

Most of the statistics I've ever seen about platform vulnerability are so heavily weighted by what the person who is doing the statistic wants to show. So you've either got the studies funded by Microsoft that make Microsoft look better, or you've got the studies that were done by the open source developers to show that Linux is better.

The really important point is that both Windows and Unix/Linux platforms is that the apps are place that are generally under attack.

If you're fielding an e-banking application or something like that, you're going to stick a firewall in front of it. The firewall is going to take away all of the vulnerability issues except for the stuff that you're carrying back and forth to your customer that you have to expose as part of letting them talk to your application in the first place.

The main place for the firewall play is taking away all the operating system-specific stuff, but then you still have the question of whether the guy that wrote the mass of code knew what he was doing.

Q: There is a trend among firewall vendors today toward unified thread management capabilities that defend against all manner of malware. Is that a positive trend? And does it actually help application security to any degree?

It's absolutely a good thing. It's kind of ridiculous that in 2006 we have security products that are separate from networking products, separate from network-management products. They're all joined at the hip and should have been the same capability all along.

It's nice to see that you can buy a product that will block what are obviously worms crossing your backbone network.

The big problem with apps is that the layer 7 stuff they put into firewalls is coded to detect and block well-known attacks. The stuff that we see that causes trouble in attacks is when someone develops an attack that is specifically coded to a target application. I don't see the firewall vendors being able to build blocks against custom applications.

If you're going to stick that application out there, especially if it's e-commerce, much of the traffic will be encrypted anyway with SSL stuff. The firewall can't do anything. The application has to be strong enough to withstand the attack by itself.

Q: How can end users protect themselves against application vulnerabilities?

There is really nothing end users can do.

Part of the beauty and the curse of the Web software-delivery model is that all the stuff happens at the back-end server, and you're front-end device is running very limited amounts of code in the form of a Java applet or whatever; but almost all of the interesting processing is happening at the back end.

Users expect the software to be secure. They start with the assumption that the software they are using doesn't suck and they're surprised when they find out that it does.

Q: What do you see as the single biggest threat to IT security today?

Fundamentally the entire computing community is a victim in this situation, so you can never lay any of the blame for any of this on anyone but the hackers.

If there were no hackers, there wouldn't be any security problems. That's kind of a tongue-in-cheek answer because there are always going to be hackers and there will always be criminals.

There are a lot of places where application security is deadly, because the vulnerabilities are customized for the apps and the bad guys are going after these really important apps. If they manage to score a hit, they score these incredibly damaging attacks.

Then on the other side you have the vulnerability searchers who are looking for high-propagation common attacks. Buffer overflows and things like that. For them the leverage is not that they attack a single target that puts millions at risk; they're trying to attack millions of different targets.

There are almost two completely different dimensions as to how this thing represents itself. I think both of them are really horrible. It would be hard for me to say which one is more horrible.

Q: Is open source an ally of the security professional or an opponent?

I think that open source is a wash. I think that the professional software companies that are really developing stuff have teams of organized grown ups working on code, and in a lot of cases turn out better code.

The "many eyes" philosophy of open source coding makes about as much sense as the "many monkeys approach" to producing Shakespeare.

Having many eyes -- if they were all harnessed under team leaders and structure -- makes a whole lot of sense. But the review of code as it happens in the open source movement is that it's largely random and uncoordinated and the quality of the people doing the reviews is extremely variable.

Q: Is there still the possibility out there for another "big" innovation of the same stature of the firewall? Or has everything already been done and now it's just a matter of additional features and functions?

My role in the early days of the firewall was that there were all of these really good ideas for border gateways. People were calling them all kinds of things, and there were all these good ideas floating a around. I stole some and I cleaned some up, polished them and welded them together into this idea that turned out to define a commercial product. I think that what's going to wind up happening.

There are lots of ideas that come along all the time, and when you dig at you realize that, "oh that's just a trusted systems access control bit brought forward into today's nomenclature."

There are guys out there that are doing XML security gateways; well that's really just a proxy firewall brought forward to today's networking protocols.

I think in all areas of intellectual endeavor, if you generalize things broadly enough, you'll realize that Plato the Greek thought of them all.

I think probably all the great ideas in computer security were had back in the 60s or 70s.

The biggest invention that we need to have is we need to bring scientific methods forward into computing as a whole.

There are a lot of really great ideas from the past that need to be brought forward, but I don't think there is going to be any great new whiz bangs. Unless somebody is able to solve the hard form of artificial intelligence process and produce a real machine intelligence, I don't think we're going to see any breakthroughs.