'Offensive technologies' can secure networks
- — 15 May, 2007 10:29
Can you cite and example or two of exciting research you've come across of late in the computer security field that might be of interest to someone running a corporate network?
I'm clearly biased, but I think our work on redesigning the enterprise network with security in mind (SANE/Ethane) points to some important ideas that hopefully will gain greater traction in the coming years. Such as implementing fine-grain, centrally managed access controls at the level of users and end-hosts, and using strongly authenticated network endpoints for doing access control, instead of the mess of IP and MAC-level ACLs that we have today.
I also think that virtualization technology has the potential to radically change the way we secure enterprise networks, by providing a more flexible platform for deploying security technologies both on (in the form of intrusion detection and prevention that leverages virtualization) and off (in the form of virtual appliances) the end-host.
How do you think the battle is going these days between those attacking networks and those defending them?
Hard to say, since it really depends on what market you are talking about. There is a constant arms race going on between attackers and defenders, and fortunes change pretty rapidly.
Overall the space of technologies seems to be growing a lot faster than the space of well designed/secure technologies. So I don't expect to be out of work anytime soon. That said, I think the Wild West atmosphere with huge herds of botnets roaming the plains is bound to give out at some point, I don't think there is a question of if here -- merely when.
Any other hot buttons for you?
The most important thing that folks like you in the technology press can do is influence CIOs and others making purchasing decisions to put pressure on vendors to build more secure products. The more intelligence there is in the market about what practices make products robust (such as the use of good development practices, from conservative design to safe languages and testing), and the more negative market response there is to security vulnerabilities, the sooner we will have more secure systems. Bruce Schneier and others are right in their claims that we don't need a security industry, what we need are operating system vendors, network equipment vendors, database vendors and so on that are shipping products that are more secure by design.
Other than that, I think that the usability of security right now is still abysmal. Any vendor shipping a product that pops up a button that asks an end user to make some choice that they clearly can't make with any degree of intelligence should be ruthlessly hounded until they do the right thing.