When trust isn't enough

Internet expert K.C. Claffy talks about next-generation security architectures.

K.C. Claffy, a well-respected member of the computer science research community, has made it her mission to understand the Internet and all its nuances. As principal investigator at the Cooperative Association for Internet Data Analysis (CAIDA), an 8-year-old collaboration among commercial, scientific and government entities, Claffy watches over the Internet - collecting and analyzing performance statistics in order to help create an Internet robust enough to handle ever-increasing resource demands. For instance, with Claffy leading the way, CAIDA is the go-to organization for information on 'Net-based virus attacks. In this interview, Claffy, one of our 50 most powerful people in networking for 2004, talks about security on the Internet and in the next-generation enterprise network.

In your time at CAIDA, what Internet performance trends have you noticed?

Consumers and producers in the IT marketplace have gotten used to Moore's Law and expect similar advancements in every product area. Combine the push for more/better/faster with globalization and commoditization and you get the happy result of 10 Gigabit Ethernet selling for the same cost per port in 2005 that 10M-bit/sec Ethernet sold for in 1985. At this point, the challenge isn't getting enough but rather keeping it long enough to depreciate it. Eventually, we'll reach a saturation threshold where a vast majority of powered devices are stagnant. For example, a TCP/IP controllable light switch in your home will send about 10 bits a minute, but because of cost-per-port issues it will be connected by a 54M-bit/sec wireless or 100M-bit/sec wired Ethernet. Upgrades will not be possible.

What changes have you seen in how Internet security is handled?

The greatest single advance has been in "up leveling," the training and salary of law enforcement personnel responsible for managing information-age crime. Ten years ago, anyone who knew how to track down a child pornographer could make a ton more money in the private sector than in the public sector. Today, these skills are taught at the community college level and just about every new FBI special agent is an expert before he gets his badge. This is good, but it's still only the tip of the iceberg. Inter-governmental cooperation, treaties and research funding for information-age affairs is still tiny compared to, for example, what's done with atomic power or space exploration.

Do you see any performance and security problems that can't be solved?

If some day we do all we can - which we're not, today - we'll still be left with human nature. Smart, motivated people will continue to find ways to break laws that haven't been invented yet, and cause law enforcement and the technology industry to innovate to keep up. It's possible that as an evolutionary force, this is good, since it ensures that complacency can't happen.

How will the increasing "Webification" of applications and use of Web services affect Internet performance and security?

As a ubiquitous interface, the Web will make it easier for more attackers to try to guess more passwords. This will look, at first, as though the Web is less secure than the proprietary interfaces it replaces. However, the real weakness is in having guessable passwords, or in having passwords at all rather than hardware-token security schemes (like ATM cards and PINs). Hopefully, the end result will be a rapid advance of the hardware-token security business. Imagine something like Microsoft Passport but not controlled by any one bank or any one software company, but rather by a federation.

What advice would you give to IT executives at Fortune 500 companies that are moving quickly to provide Web-based application access to an ever-widening user base?

I would warn them against single-vendor solutions. Even though multiple vendors are more expensive to manage and deploy, modern enterprises have to have diversity as a core value and management of diversity as a core strength. Follow standards, but get your file servers and desktop clients from different vendors. Both hardware diversity and software diversity is necessary.

What will security look like for the fully automated, virtualized, on-demand enterprise of the future? How will that be different than today's security architecture?

Today's security architecture is a hodgepodge of proprietary systems with various high priests and sole sources keeping  it all running. In the future, we'll see single sign-on based on RFID and presence and PINs, retinas, fingerprints, smartcards and other hardware-token schemes. The time is coming when employees will use the same card key to get into the parking lot and the intranet Web server. When they get home and do their Christmas shopping online, they'll be using an RFID-enabled "credit card" plus a USB thumbprint scanner to authorize credit and debit transactions. The reason we don't have this today isn't that it hasn't been invented yet, but that no one trusts any single company to bring it to market, and the federation of related companies and governments for this hasn't been formed as yet.

What's your security advice when it comes to building new data center architectures?

It's 'motherhood and apple pie' time. Security doesn't depend as much on the quality of your locks or firewalls as it does on the usability of the secure system. If you put a man-trap on your data center requiring a 30-second entry/exit process, what you'll get is the back door propped open so that your technicians can go for a smoke when they want one. Similarly, if you put in a firewall so tight that most things can't get through it, what you'll get is a bunch of employees using public 802.11 wireless networks to get the part of their work done that your firewall doesn't allow.

Gittlen is a technology editor in Northboro, Mass. She can be reached at sgittlen@charter.net.

Learn more about this topic

Security research center

The latest news, alerts, reviews and more.

Network World on Security newsletter

Security expert and educator M.E. Kabay keeps you up to date on what you need to secure your networks.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.