Wednesday, February 25, 2009

Firewall Complexity

It appears that our work looking at firewall complexity in the most recent ISSA Journal is nicely coinciding with work being done in industry. Secure Passage just released a survey coming to roughly the same conclusions that we did albeit focusing primarily on Fortune 1000 companies whereas our survey was more broadly based.

Of particular note, the top two most shocking findings from the Secure Passage report:

Top 10 Shockers Revealed by Respondents:
1. 73 percent think firewall rule bases are too complex or out of control
2. 59 percent feel that a lack of management tools makes policy management difficult


Living firmly in the land of academia and hence being able to speak from the ivory tower, these works should be a huge wake up call for how security research should proceed. All too often in security research, the perfect becomes the enemy of the good but I think researchers forget that easy to use security (yes, Virginia there is such a thing) offers a huge benefit to the overall health of the Internet ecosystem. Certainly, there is a need for high end, complex systems such as for DARPA / etc. but by in large, complexity is not a friend of security.

Moreover, I do not think the problem is one of building a better interface for the existing tools. It is a general philosophy where complexity is viewed as an informal indicator of correctness or completeness. Unfortunately as my students can attest, try publishing something novel but not terribly complex and the results are often less than heartening. Perhaps that is best left to industry but certainly these surveys attest to the security elephant in the room that we know things are bad and really can not do too much about it*.

Hat Tip: Athena Security which has a tool for improving firewall complexity Athena FirePAC

Wednesday, February 4, 2009

Front page baby!

Very cool, our journal article looking at firewall management practices managed to make the cover of the ISSA journal. My student Mike Chapple did a very nice survey of current firewall administrators and IT managers to determine what self impressions administrators had of the correctness of their firewall configurations.

The short / sweet version is that firewall configurations are likely wrong and we know it and things are not getting better. System administrators are swamped and hoping that nothing major goes wrong. For those of you in the security business, I highly recommend using it as justification for a better raise or for hiring new people.

On spam and publicity

As one transitions later in the world of academia from naive, newly minted junior professor to slightly older but still naive junior professor, the opportunities for service become quite numerous. Recently, I have served / am serving as the track chair or publicity chair for several conferences. After having surveyed the landscape for various lists, I have several definite preferences. Keep in mind that this is network-centric and individual experiences may vary.

- The DB World and ACM SIGOPS method are very, very cool. Plug in conference info into a web form and voila, instant posting at an easy to recall location.

- The WTC form is not a bad outlet with the web output being checked before being sent out. This is nice but the form needs a bit of work as it could very easily send out multiple copies.

- The good old standby of tccc is slowly getting over run with everyone and their brother advertising Calls for Papers. Being a member of the list and being in the position of track chair and publicity chair, I have seen things from every angle. Not getting enough papers or getting nervous, one more CFP into the void. *sigh* yet another CFP from that same conference, yeesh.

There is a fairly cool effort that my recent spamming on lists as publicity chair for a conference must solicited an e-mail, WikiCFP. Looks cool and yes, we will be posting our conference there too.

PS For any publicity chairs in the networking area, send me a note and I can give you a definite run-down of pretty much all of the major mailing lists :)