Could you introduce yourself?
I am Marcus Ranum, Chief Security Officer of Tenable Network Security, Inc., the producers of the Nessus vulnerability scanner and a suite of security vulnerability management tools. I've been working in the computer security arena for about 20 years, now, and was the designer and implementor of a variety of security solutions in the past, including firewalls, VPNs, and intrusion detection systems. I like to think I've been around long enough and done a wide enough variety of things that I've achieved a pretty good perspective on the trade-offs inherent in security technology.
I was the designer and implementor of the first commercial firewall product, the DEC SEAL, in 1990, and was an early innovator in proxy firewalls. In 1992 I wrote the TIS Firewall Toolkit and Gauntlet firewall, and set up and managed The President's email server (whitehouse.gov) during its first year of operation. I was founder and CEO of Network Flight Recorder, an early innovator in the IDS market, as well.
IPv6 should be the future. Do you see a more secure future then ?
No, IPv6 isn't going to solve anything.
IPv6 is just another network protocol, and if you look at where the problems are occurring in computer security, they're largely up in application space. From a security standpoint IPv6 adds very little that could offer an improvement: in return for the addition of some encryption and machine-to-machine authentication, we get a great deal of additional complexity. The additional complexity of the IPv6 stack will certainly prove to be the home of all kinds of fascinating new bugs and denial-of-service attacks. Also, don't forget that the current version of IP has encryption and authentication built in already - and that hasn't helped solve any problems at all.
Do you think that the problem is that we can't develop a secure protocol, or that people who define standards underestimate security threats ?
That's a profound question.
There are a lot of factors that combine to defeat security in up-front design. For example, there's basic human nature: the guys who are defining standards can't resist the urge to leave their personal stamp on the future - which results in standards that generally have been assembled based on a process of negotiation by committee. That doesn't really work. That's what gives us these insanely complex multi-optioned heavily layered standards that nobody really understands: every person on the committee had to lobby to get his or her favorite feature included. I don't think that process in any way helps bring about useful security standards. A case in point would be the IETF's terrible fruitless attempts to establish a standard on IPSEC (IP crypto) It only took something like 9 years. Those of us in the commercial world who needed solutions just went ahead and solved the problem for ourselves while the IETF kept arguing. If I recall correctly, when we added IP crypto to our Gauntlet firewall in 1993, it took my engineer on that feature about two months to come up with a complete proprietary implementation.
I don't think that the standards committees underestimate security threats; I just think they're too busy doing things that are more important to them -- like holding meetings and writing minutes, or whatever it is that they do all the time. The standards I've seen that try to address security all seem to be over-engineered and too late, while the standards that ignore security are usually rapidly adopted and full of security problems. It's a no-win situation either way.
Do you have any idea how to improve the way RFCs get created ?
I think the whole RFC process is obsolete.
In fact, it never would have worked at all, if not for the fact that in the early days, nobody cared about the Internet. So the IETF could have their meetings and write their RFCs in a vacuum that was free of commercial interest. Once the Internet became a commercial phenomenon, you can see that the IETF's productivity basically went to zero because the vendors were all trying to pack the working groups with their people to make sure that their existing implementations got selected as the standard. That's pretty much what happened with IPSEC, for example. IETF nearly converged on an IPSEC standard several times until Cisco and other large vendors began making rumblings about "we won't support this" and "we hold patents on that" to try to keep the market divided.
How would I improve it? I think if you look at what standards committees have become today, they're really little more than ratification bodies that rubber-stamp the de facto standard. Usually they tweak it a little bit to salve their pride but that is about it.
I think we could do away with the whole standards thing very easily if a few customers just exercised their economic power a little bit intelligently. Big customers have huge power, but they seem to have forgotten that. If the CTOs of 10 FORTUNE 500 firms announced that they were deferring further purchases of VPN products until they saw proof of interoperability, and open published specifications that weren't encumbered by patents or licenses, the whole market would standardize practically overnight. Because the truth is nobody cares about standards - everyone cares about what you can do with interoperable systems. If customers just openly refused to do business with vendors that produce non-interoperable systems, the whole thing would clear up really fast.
The RFC idea could be brought into the present day if it came from customers not vendors and dilettantes. How about if the CTO of AT&T announced "We're going to standardize on XYZ's implementation of online telephony" and the CTOs of GE, Verizon, Ford Motor [Company], and Citibank announced "we're doing that, too." Game over. Big customers need to drive standards by not tolerating market-dividing games from vendors. Sitting back and waiting for vendors to come up with standards means that they can divide the market while they're waiting to see who becomes the dominant player. Then everyone has to standardize on the dominant player anyhow. Right now, the whole way we do standards is 100% backwards. Just flip it around and it might work a whole lot better.