1 / 26

Infrastructure and Security

Infrastructure and Security. Marcus J. Ranum mjr@nfr.net Network Flight Recorder, Inc. Marcus Ranum would like to apologise in advance for any indiscretions he may commit on: ___________________. April 30, 1998. Topics. The Market Security standards How do we improve things?

zizi
Download Presentation

Infrastructure and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infrastructure and Security Marcus J. Ranum mjr@nfr.net Network Flight Recorder, Inc.

  2. Marcus Ranum would like to apologise in advance for any indiscretions he may commit on: ___________________ April 30, 1998

  3. Topics • The Market • Security standards • How do we improve things? • The role of strong foundations • Can DCE be a player? • Conclusions

  4. The Market • Key factors affecting security • Commoditization • New entrants • Consolidation • New protocols • The heat-death of the body standard

  5. Market: Commoditization • Security market (1992-1997) consisted of small players “one trick ponies” • Sharp competition has driven price of security products down... • Simultaneously distorting perception of marketability (e.g.: firewall madness of 1993) • Makes cost-sensitive customers avoid infrastructural security in favor of hacks

  6. Market: New Entrants • New entrants to market (1995 - 1998) are focused on staking out a market niche • Less interest in integrating/cooperating with larger/broader efforts • Time to market dominates startups • No time to attach to big, cumbersome standards efforts with high cost of entry

  7. Market: Consolidation • 1998 security market is consolidating • Most consolidation is security vendors buying eachother (“rollups”) • Emphasis (and driver) of consolidation is coherent management and integration • This is a niche for foundation applications • But they are being built today “ad hoc”

  8. Market: New Protocols • New protocols are constantly being added • Many have unpredictable/undocumented properties • Time-to-market concerns override security and compatibility/infrastructure • Huge potential for new security flaws is completely un-addressed

  9. Market: Standards Bodies • The standards bodies have not yet realized that the world is passing them by at 1,000 miles per hour • Transition from “standards are important” to “market share is important” in 1993 - 1994 • Standards efforts are moribund but don’t know it yet - they are too slow

  10. Security Standards • Key Security Standards for the future • Digital certificates • Web • System management • Delegation and definition of trust

  11. Standards: Certificates • Not quite ironed out yet, but they will be • Too much money invested already • If they become widely deployed for E-commerce they will be used in virtually all security solutions • Good opportunity for infrastructure systems that handle them • But today they are still seen as black art

  12. Standards: Web • Web may become the next generation of middleware/foundation for other applications • Is DCE’s biggest competition http and SSL? • I think it is

  13. Standards: System M’gment • System management is the Next Big Area for innovation • (I may be late, judging from the Compaq/Microsoft/CA/HP announcements this week) • Management of infrastructure using the infrastructure itself • Security would be nice

  14. Standards: Trust Delegation • Nobody is really paying attention to this yet • Certificates are a tool for building it but are groping slowly in that direction • Foundation/middleware such as DCE should take it into account • It must be manageable (and management must also support trust delegation)

  15. How do we Improve? • Infrastructure • Self-Diagnosis • Management

  16. Improve: Infrastructure • We are in a maze of little fiddly infrastructure protocls, all different • RPC/ONC/SMB/HTTP/SSL • IPSEC/SOCKS • ….ad nauseam • The biggest single security improvement we can make is to adopt a common secure foundation

  17. Improve: Self-Diagnosis • Software and system are never going to get less complex • Therefore they must grow better at managing complexity • Which means improved self-diagnosis • Are systems like DCE easy enough to deploy that my mother could do it?

  18. Improve: Management • We need • Security protocols that are manageable • Management protocols that are secure • Can DCE be managed by an office secretary? • It is management hassles that are making NT take over the desktop • It’ll have its own problems

  19. Improve: Strong Foundations • New applications need to be able to rely on foundation communications libraries that include: • Access control (firewalling) • Privacy policy (VPN) • Identity and Authorization (authentication and permissions databases) • Can DCE help?

  20. DCE a Player? • No • Yes

  21. No • Outside of a select circle, DCE is almost completely unknown • DCE’s competitors are smaller, faster, and more reactive to industry requirements • The “fast frog syndrome” • Too many vendor interests hamper ability to react (what about the Web?)

  22. Yes • You tell me

  23. Conclusions • Reactivity • Foundations

  24. Conclusions: Reactivity • Ability to rapidly react to changing market reality will make or break any technology currently being deployed • Whether it’s good or not is irrelevant as long as it’s tailorable and works by next week

  25. Conclusions: Foundations • The big challenge is to get DCE leveraged into the foundations of some kind of “killer app” • It must be simple to manage • It must be cheap • It must be lightweight (for NT desktops)

  26. Summary • Good luck!

More Related