CIO — Most members of the IT community have vivid memories of the security nightmares that got passed around the campfire during the great migration from terminal/host to client/server architectures. "The new environment is raising grave concerns," we said in a major article on the topic in February 1994, and that was?if anything?an understatement.
In that piece we were particularly concerned about the doofus threat: the possibility that client/server systems would magnify the effects of simple sloppiness or incompetence by "empowering" nontechnical employees to do damage never possible with a terminal. On the other hand, threats from outside were barely mentioned, partly because we thought a new category of products called "firewalls" showed good promise for dealing with those problems.
Internet Firewalls Frequently Asked Questions (by Matt Curtin and Marcus J. Ranum, available at www.interhack.net/pubs/fwfaq) compares these products not to real firewalls like those that protect your feet from a car’s engine compartment, but to the reception and security desks that most companies have at their front door. Like those desks, firewalls control authentication routines, decide which packet types to admit into the network and which to keep outside the velvet rope, and do head counts on both incoming and outgoing traffic.
Conceptually the idea couldn’t be simpler, and it is easy to see why we had confidence in it. In practice, however, firewalls turned out to be no panacea. According to the "2001 Computer Crime and Security Survey," prepared by the Computer Security Institute and the FBI’s Computer Intrusion Squad, two-thirds of computer security practitioners participating in the study experienced financial losses from security breaches in the previous year, generally theft of information or fraud. Those able to measure these losses (and willing to reveal them) reported an average of $3.7 million per incident. Every category of network assault (penetration, denial-of-service attacks, viruses) showed significant increases.
In retrospect a little military history might have helped us anticipate this failure. Military theory argues that offense is limited by penetrating power and defense by sensing, analysis and calculation. This is not to say that either side cannot use the assets of the other, only that offense is usually better off spending resources on muscle, and defense, on intelligence. Rapid technological change also tends to favor the offense, probably because breakthroughs in muscle come along more often than significant improvements in brains.
In other words, during high innovation periods, we tend to get relatively beefier, stupider and more offensive. While this concept had its origins in military science, it is an excellent description of ’90s technology as well. The development of the Internet allowed hackers to recruit legions of machines into coordinated attacks on target systems. Further, according to Marcus Ranum, currently CTO of NFR Sec-urity in Rockville, Md., the old Internet was a store-and-forward system, in which firewalls could take time to process complicated security checks. "The Net today is real-time," he says. "When people hit a button they expect something to happen." This puts a limit on how sophisticated firewalls can be.
