• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Interview with a security professional - Marcus Ranum

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Wed Jul 13, 2005 12:53 am    Post subject: Interview with a security professional - Marcus Ranum Reply with quote

Continuing with our series of “Interview with a security professional” I am very happy to announce that Marcus Ranum one of the computer security pioneers has generously contributed his time to answer some questions for us.

Question

Do you feel that f/w technology in the past couple of decades has undergone any radical transformations. Specifically as it really has always really dealt with the NDIS and TDI layer?


Marcus’s Answer

Firewalls are pretty much the same thing as they were back in the early days. I'd say that NDIS or TDI are "implementation details" of how the firewall interposes itself in the data stream - whether the firewall is a device driver, a routine in the operating system, or a piece of code running in a switch or appliance, they pretty much all do the same thing.

Where it gets interesting is when you look at what a given firewall does when it starts looking at more than just packet headers. Back in the old days firewalls were either "packet filters" or "application layer gateways" - and the packet filters won out because they were easier to use, more permissive (hence, more attractive), and perceived to be faster. Packet filter firewalls keep evolving more and now they keep a fair amount of network connection state information - hence the marketing term "stateful firewall" or smart packet filter. Application layer firewalls keep getting re-discovered every couple years; first as a spam blocking gateway, then as a "web firewall" or whatever. But the basics are the same and remain the same: PERMIT or DENY. How you do it is where the details come in.

Question

Do you feel that an IDS or IPS really complements a f/w?

Marcus’s Answer

IDS, as it was originally conceived, was sound engineering design: let's detect failures and policy violations on our system. If you generalize that up to a network, then the obvious place to put your IDS is at the firewall, looking for firewall failures or policy violations. So far, so good.

Unfortunately, most people's firewall rules are ridiculously permissive. Most networks allow way too much garbage back and forth and it's pretty much impossible to actually do it securely. Then a funny thing happened: IDS were seen as being too "noisy" or unreliable because they were constantly generating alerts. My take on it is that a lot of the alerts were justified, but it annoyed the hell out of customers who had installed IDS to tell them "everything is just fine, be happy." So what happens when you combine firewalls that are letting too much through with IDS that generate too many alerts and are perceived as unreliable: "Intrusion Prevention Systems."

The basic concept of IPS is attractive (which is why marketing people carefully chose the name) but it's basically flawed. Most of the first generation IPS were not much more, and often less, sophisticated than a switch running Snort with connection-dropping rules instead of alert rules. The appearance of IPS caused all the IDS vendors and firewall vendors to re-brand their products to catch the "new wave" but basically they're all doing the same thing. I see IPS as "an IDS that evolved into a fail-open firewall." The new hot topic is "deep packet inspection firewalls" which are basically firewalls that include some IDS signatures. At least they aren't fail-open. I hope not, anyhow.

It's very hard to keep track of what anything is called anymore, as the marketing people keep struggling to come up with snazzy new terms for the same ideas we had back in the late 80's. Basically, the speeds and feeds, and depth of logic have changed, but there's not a lot that's new or interesting going on.

Well, wait - let me amend that. The one thing that is old firewalls used to have 2 options: PERMIT and DENY. With an IPS or a DPI or whatever you want to call it, now there are 3 options: PERMIT, DENY, PERMIT AS LONG AS IT IS NOT OBVIOUSLY HOSTILE. That latter option does make sense to have if you're hooking a network to a business partner and want a high degree of access with them but want to somewhat reduce the risk.

I get scared by the IPS and DPI hype because customers are going to buy these things because they really look great on paper. But if you read even the vendors' glossy brochures they admit that they only know how to detect and block a few hundred (or dozen!) attacks on a dozen or fewer application protocols. That's really lame. Basically, these are a good technology for shooting down worms like CodeRed or Slammer that announce their presence with trumpets and a parade, but they're not going to work against future attacks or harder to categorize attacks like some types of recon tools. If IT managers want to shoot down well-known worms, they shouldn't throw a lot of money into IPS or DPI they should build networks that aren't trivial for even simple worms to knock over.

Question

The ever present argument of ASIC vs FPGA is always a contentious one. Where would you weigh in?

Marcus’s Answer

I don't care. ASIC/FPGA/general purpose processor is a debate about performance. Security is not a performance problem. Yes, security and performance are inter-related. It appears that the more inspection, error-checking, attack detection, application modelling, and state tracking that you do, the slower you are likely to be. It stands then to reason that the faster systems do less checking. And that's where hardware comes in: the idea is to do the same amount of checking at higher speeds using hardware accelerators. Unfortunately, I don't think that hardware accelerators help a whole lot - because when you get into doing complex checks that involve things like signatures, TCP reassembly, fragment eordering, and reassembly, or long-term statistics such as you might use to detect some kinds of anomalies - you're bumping up against the limits of what can be meaningfully accelerated by hardware.

Hardware also doesn't change very fast/easily. We're in an environment where the bad guys' techniques change fast and easily, so being burned into silicon may not be an advantage. Of course you can reprogram some hardware accelerators - in which case you're just talking about software being loaded into custom silicon, which is not a whole lot different from software being loaded into silicon from Intel.

Question

Do you believe that Microsoft's hacker bounty program will work? So far no one has publicly admitted to it working.

Marcus’s Answer

Well, it depends what you mean by "work" Smile If you mean "work" as in "reduce the number of hackers" I think it's safe to say that it's a failure. In fact if you look at the rate of security problems across the industry, virtually everything that we have been doing is largely a failure. If, however, you interpret "work" to mean "good marketing to show that Microsoft is serious about computer security" I think it worked very well. Public perception is that Microsoft is serious about security and is putting a huge amount of effort into producing more secure systems.

The hacker bounty program that'd be most likely to work would be if the extortionist-hackers who were DDOS'ing UK gambling websites were to try that on some Russian mafia-owned websites. They'd be fishing dead hackers out of ponds all over Europe. It'll be interesting to watch the evolution of the relationship between organized crime and hackers. I think the hackers have no idea how dangerous a game they are playing.

Question

What do you think of Microsoft’s Honey Monkey project?

Marcus’s Answer

I have always thought that production honeypots are a great idea. Research ones are, too, but they're a LOT of work and I don't have a great deal of interest in the social lives of hackers. What Microsoft is doing is a clever extension of the honeypot concept - making it actively go out and look for new forms of malware is a great idea. It's a clever way of exploiting one of the most powerful and subtle security techniques: establishing a known baseline, doing something or letting something happen, and then checking for unexplained variations from the known baseline. It's a useful tool for Microsoft to have in their toolbag, but it's just a piece of the puzzle. In other words, it's clever, but it's not going to make Microsoft's products better or more resistant to malware, except indirectly as a result of what they learn from it.

Fundamentally, the way to build systems that are resistant to malware is not to get smarter about how we collect malware and learn about it, it's to design systems that aren't susceptible to malware from the get-go. Unfortunately, doing that would take a lot of work and more systems/design talent than Microsoft appears to have access to. It would also entail massive changes in how applications are written, which means "it's not going to happen" because of the gigantic momentum of the current installed base.

Question

When it comes to outbound filtering and the firewall, too many people don't implement it. Would you have a few "set outbound policies" that you would always advise people to do?


Marcus’s Answer

I think most people would consider my views in this matter to be extreme; time will tell! I think most firewall rules are _ridiculously_ over-permissive. In fact, if I were running an organization that had real security requirements, my firewall would not allow any direct outgoing connectivity whatsoever. All incoming Email would go through an attachment stripper that would isolate attachments onto a separate server where they could be downloaded via an SSL-authenticated link by the user, and that server would have some antivirus/antimalware engine installed. Attachment usage (in and out) would be closely audited on a per-user basis.

All web surfing would be through a proxy server, which would carefully log and track usage rates by user, and report surfing time-spent to group supervisors. All attempted direct outbound traffic would be blackholed onto a honeynet where an instance of honeyd would reply and log the attempt, destination, and service port for analysis. I'd also have internal filtering rules on the backbone routers/switches to restrict certain services to well-known servers. For example, the local or enterprise IMAP servers would be the only machines that could accept port 25 connections, and only well-known web servers could accept port 80 from outside of their subnets.

Sounds extreme, doesn't it? But in return, I'd promise a network that was virtually free of computer security problems, almost certainly free of worms and viruses, and largely free of time-wasting Internet games, chats, and porn. What blows my mind about the way many organizations practice information security is that they are willing to bear virtually ANY expense in order to avoid having to tell users "no, you can't do that." Rather than build networks that are worm-proof and intrusion resistant, corporate IT professionals follow the herd instinct and build networks that have zero failure-resilience, based on toy operating systems and software, and then throw massive amounts of money and time into patching them and cleaning them up after they get broken into.

Question

Were you to recommend two programming languages to our members to learn, which would they be, and why?

Marcus’s Answer

Some compiled language that encourages detail-oriented thinking, and some interpreted scripting language that allows rapid prototyping. I suppose that today the best candidates for that combination would be C and Java.

Motivation for my suggestions? If you don't understand how a language like C and the underlying processor/OS interact, you can never write fast, efficient code. On the other hand, once you've learned how to write fast, efficient code, then you can actually write useful "quickie hacks" in scripting languages, without producing bloated, slow garbage.

There's too much bloated, slow garbage out there. And it's because the current ideology is "everyone can be a programmer - even if they don't know how!" So you've got folks writing mission-critical apps using programmable middleware and they barely understand how to write code that works, let alone code that's reliable, secure, efficient, or fast.

Question

Lastly, do you have any words of advice for people who are seeking professional certification? Not necessarily only firewall certs, but certs in general? These certs sadly have almost become a must-have for many seeking employemnt.


Marcus’s Answer

Certificates are a poor substitute for accomplishment. When you run across a hiring manager that's fixated on a certification, basically it means that they are too lazy to understand the real expertise requirements for the position they are trying to fill. "Hey, I know, rather than trying to figure out how to tell what a real security expert knows how to do, let's rely on someone else's assessment of appropriate expertise!" Sounds kind of stupid, if you look at it that way, doesn't it?

Whenever someone asks for advice on how to further their career, I like to paraphrase Doc Edgerton's famous advice: "Work like hell, tell everyone everything you know, close a deal with a handshake, and have fun" If you want to make a mark on the industry where you work, do your best to push it forward a few inches and don't be ashamed to take credit for your work, if you do. I know people who spend weeks and weeks trying to get certifications and whatnot - but they'd get more "bang for the buck" professionally if they spent the same amount of time, identified an interesting problem in their field, kicked its ass, taught everyone how they did it, published a paper on how to do it, and maybe wrote a book on the topic. The publishing industry is always desperate for timely books on interesting topics and putting on your resume that you're the author of a well-regarded book on blahblahblah is going to count more than having some jumble of letters after your name. Besides, if you're out there breaking new ground and doing cool stuff, the guys pursuing certifications will be having you learn *YOUR* stuff in order to pass their exams.

I always try to encourage the younger guys and gals to go out and solve real problems for real people; it's the best thing you can have on your resume. When I used to be a hiring manager, if I had 2 resumes, one of which read "Bob X, certified whatever" and the other "Anne Z, who set up a secure internet gateway for a local old folks' home as a weekends and evenings project, including setting up anti-spam filtering and secure web-mail and chat" guess which got the job offer?

The way to build credibility in any industry is by having concrete accomplishments that are referenceable. I hope it's news to you, but some people actually lie on their resumes. How many hiring managers actually check to see if someone's claimed credentials are for real? Lots of HR people take the easy/lazy way out and assume the candidate is telling the truth. When you send in a resume that contains specific claims it's a lot easier to verify that they're true.

On behalf of the membership and myself I would like to extend a big thank you to Marcus Ranum for his time. It is always great to get answers from someone as talented, and dedicated, as Marcus.

This interview is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.


Last edited by alt.don on Thu Dec 15, 2005 11:05 pm; edited 4 times in total
Back to top
View user's profile Send private message Visit poster's website
Cass
Lurker
Lurker


Joined: 14 Aug 2003
Posts: 14
Location: Scotland

Offline

PostPosted: Wed Jul 13, 2005 2:00 am    Post subject: Reply with quote

Thanks for putting up this interview don, nice one, this is a guy i think who we all should be listening to, he seems to shoot from the hip when it comes to this stuff and i especially appreciated his comments on the current state of firewalls and ids/ips, the recent gambling site blackmailings that have been going on and also his take on professional certifications. The name Marcus Ranum meant nothing to me until i read this interview and i was impressed enough by his comments to drop his name into a dogpile search (no i dont normally use google) and i was surprised by the amount of product he was involved in that i actually knew .... The same style of interview he gave here which was straight talking seems to follow him wherever he talks, and that seems to be all over the place.. Another good interview can be found below and i encourage all to have a read

http://www.securityfocus.com/columnists/334

I think this is enough of my rambling and i thank you (don and security forums and especially Marcus) for this interesting read, nice work chaps, keep it up...

Until the next interview..

Cheers
Cass
Back to top
View user's profile Send private message
data
Forum Fanatic
Forum Fanatic


Joined: 08 May 2004
Posts: 16777211
Location: India

Offline

PostPosted: Wed Jul 13, 2005 8:04 am    Post subject: Re: Interview with a security professional - Marcus Ranum Reply with quote

alt.don wrote:

Question

The ever present argument of ASIC vs FPGA is always a contentious one. Where would you weigh in?

Marcus’s Answer

I don't care. ASIC/FPGA/general purpose processor is a debate about performance. Security is not a performance problem. Yes, security and performance are inter-related.


It might make a big differene if one is implementing a factoring algorithm using FPGA. A speed up of 5/10/100 may be the difference of cracking RSA or not cracking it but I think Mr.Marcus was speaking a different line of thought. Great Interview and interesting answers. Thank you very much.

Sarad.
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
Rowdy Yates
Just Arrived
Just Arrived


Joined: 20 Oct 2004
Posts: 1


Offline

PostPosted: Wed Jul 13, 2005 3:37 pm    Post subject: Reply with quote

Quote:
Marcus’s Answer

Certificates are a poor substitute for accomplishment. When you run across a hiring manager that's fixated on a certification, basically it means that they are too lazy to understand the real expertise requirements for the position they are trying to fill. "Hey, I know, rather than trying to figure out how to tell what a real security expert knows how to do, let's rely on someone else's assessment of appropriate expertise!" Sounds kind of stupid, if you look at it that way, doesn't it?


I like Ranum. But I have an issue with statements like these! What kind of attitude is this? The goal is to get a job that pays money. Thats why we graduate high school, go to college, get masters degrees and get IT certifications.

If you worked your ass off to get a BA or MBA or MCSE, well if you want, you have every right to list that behind your name and try to use it to get a job. I like to say, "IT certifications are more an indication of someones personal drive than their actual abilities". I personally like people with drive more than I like people who like to lecture me because they think they are better than me.

Lastly, we have to not forget, not all of us are in a position in our careers where we can achieve grandious breakthroughs like Marc can. Most of us just really like IT jobs because we like working with computers and want to keep working in IT for that very reason.
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Wed Jul 13, 2005 3:59 pm    Post subject: Reply with quote

Thank you Don and Marcus, I enjoyed reading this interview, especially liked the Q&A about programming.

~Ryan
Back to top
View user's profile Send private message
onoski
Just Arrived
Just Arrived


Joined: 30 Nov 2005
Posts: 2
Location: London UK

Offline

PostPosted: Tue Dec 13, 2005 10:02 pm    Post subject: Microsoft puts most of us in IT roles Reply with quote

I think Marcus made some very valid and challenging points that actually got me thinking yep. However, I think he went on too hard with the issue of certs etc. I think a man of Marcus calibre should know that M$ still rules regardless of he's opinion or hard feelings and what not and that lots of us are in IT mainly because we love computers and Microsoft's patchy software gives way to more employment. Sounds funny but its the hard knocks truth Very Happy
Back to top
View user's profile Send private message
Tom Bair
SF Boss
SF Boss


Joined: 10 Aug 2002
Posts: 16776955
Location: Portland, Oregon USA

Offline

PostPosted: Wed Dec 14, 2005 3:52 am    Post subject: Reply with quote

I have to agree with Marcus on his assessment of certs. He makes outstanding valid points. However, since everyone cannot be expert in the field; I also can see the need for certs.

Yet he does speak good advice. Solving a problem or few does make you more visible and desirable than obtaining a cert.
Back to top
View user's profile Send private message Visit poster's website
sparrow
Just Arrived
Just Arrived


Joined: 14 Dec 2005
Posts: 1
Location: Bay Area, California

Offline

PostPosted: Wed Dec 14, 2005 11:34 pm    Post subject: Reply with quote

Good interview. I very much enjoyed hearing what Marcus would do if he ran the security of an organization with real standards. It gave me some ideas. Most of all I appriciate the advice he gave, genuine and valuable.
Back to top
View user's profile Send private message
M3DU54
Trusted SF Member
Trusted SF Member


Joined: 11 May 2002
Posts: 1
Location: Las Palmas de Gran Canaria

Offline

PostPosted: Thu Dec 15, 2005 2:47 am    Post subject: Reply with quote

Rowdy Yates wrote:
I like Ranum. But I have an issue with statements like these! What kind of attitude is this? The goal is to get a job that pays money. Thats why we graduate high school, go to college, get masters degrees and get IT certifications.

I don't think he meant that certification has no value (Although IMO it often doesn't: See 'bootcamp'), simply that people with an understanding of the role can gain far more insight into your abilities by looking at your experience, projects, rollouts and how you answer specific questions on your field.

Rowdy Yates wrote:
If you worked your ass off to get a BA or MBA or MCSE, well if you want, you have every right to list that behind your name and try to use it to get a job.

Absolutely. And NOT having the paperwork may not get you to the first interview unless your appointments and accomplishments glitter... I'd never appoint someone soley on the papers they carry, unless it's for a menial position and I like their outlook. But If I'm looking for a VoIP man and I get someone whos performed numerous rollouts and practically (or literally) wrote the book on MGCP, H.323 and SIP I'll be happy if they don't have a cert to their name. I'd even take them just on the rollouts and what they say in an in-depth Q'n'A.

Rowdy Yates wrote:
I like to say, "IT certifications are more an indication of someones personal drive than their actual abilities".

Then I assume you would agree that simply HAVING the paperwork doesn't always mean you can do the job. In my life I've met an awfully large number of people who were all paper and no punch. Including a CCNP who didn't know how to reset a password and had great difficulty setting up RIP v2 which is basic CCNA material.

I think these 2-week guaranteed certification bootcamps and such make faith in certs an even more dangerous folly. I understand what you are saying, I really do, but I do have to agree with Marcus on this one.

Certs ARE important, but they mean nothing without experience and a proven ability. Proven ability holds it's value regardless of Certs. I don't want someone with drive and potential, I want someone who can visibly handle the job and can list his accomplishments.

Certs on their own don't tell me much.

-Meds
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register