September 2004: Fred Avolio

Appreciating the Importance of History in Network Security

Fred Avolio is a member of the Institute faculty. He is a security consultant, writer, and instructor who has worked with Internet security systems for over 15 years. Write to him at

“It’s still the same old story: a fight for love and glory, a case of do or die.” These words, made famous in the Warner Brothers’ movie Casablanca, remind us of what U.S. philosopher and poet George Santayana (1863–1952) once wrote: “Those who cannot remember the past are condemned to repeat it.”

One of the problems in the computer and network security space is that we behave as if we have no history. Or, perhaps we have lost our sense of history.
Either way, we will not learn from our mistakes. We will spend needless hours going over the same old ground, reinventing the same old devices.

We see evidence of this in some of the questions that Forum Members raise, on topics such as buffer overflows, application-level security, and certification.

My purpose in the space this month is not to make anyone feel stupid. There should always be room for questions and answers. One of the primary purposes of our Forums is for mutual edification and education — and I mean Members, Faculty, Staff, and Providers. Rather, the point of this column is to raise some of these already-solved questions and to encourage us to appreciate the importance of our history.

Buffer overflows. We probably all know that they are bad. Buffer overflows are to blame for a majority of the non-virus attacks on our networks today. Buffer overflow attacks exploit buggy software (data is not verified) and allow the execution of arbitrary code (well, not arbitrary-– code that the “attacker” wants you to execute.) It must be near impossible to get this right.

It is not impossible, but it takes extra work, which costs money. People will always make mistakes. Bad guys will continue to try to take advantage of those mistakes. Do we remember the Morris Worm? It was the first attack on the whole Internet. It was not like more recent memorable attacks (Nimda) only because the Internet was a lot smaller back then. But some of you reading this have never heard of the Morris Worm. (Google it!) Do we ask solution providers to take extra time and effort to test software? Do we tell them we would be willing to pay more money? Or do we ask for cooler features?

The need for application-level security. At the Forums we talk about “Intrusion Prevention Systems” in the “Monitoring, Detection, and Prevention” track. At the New York Metro Forum’s Solution Provider panel last year, a few panelists asserted that firewalls filter on IP packet header information only. Over the past year, trade magazines have trumpeted “application intelligence” and “deep packet inspection.” None of these are new concepts (unless you consider 1992 “new”). Why is this important to know and remember?

We have to know what our security devices can and cannot do. We have to recognize marketing-speak (or -hype) from something that really is new. But, we also have to know that we can and should apply older technology more securely. Use what we have, and have had, already.

Do we need application-level security? Sometimes yes. Does it matter if it is in an old application gateway, proxy-based firewall, or a new wiz-bang “in-line intrusion prevention system?” Maybe. Maybe not. But, let’s start knowing what’s been there already and what has worked, what has not, and why.

Strong user authentication. As in “instead of reusable passwords,” some of our organizations get this. I see many security tokens and smart cards with digital certificates among Forum Members. Still, many of us are using reusable passwords. There is a better way. Security tokens – crypto calculators and one-time password systems -- have been around for over a decade. Of course, they still are not as convenient as passwords.

Convenience vs. security. Or usability vs. security or functionality vs.… They will always be at odds. Know this up front so that you factor it into your policies and procedures after your risk analysis. End users – the people security practitioners support – never ask for extra security. They never notice when your firewall is too permissive. (“Excuse me. I don’t think I ought to be able to do this.”) They ask for “bigger,” “faster,” “more,” but never “more secure.” That is the security person’s job. This tension will never go away this side of Heaven. (But isn’t it nice that there are some things on which you can count?)

Security certifications. Are security certifications important? Of course they are. Of course they are not. Really, it depends. (And you recognize that those two words are very significant when we are talking “security.”) Certifications are just fine — maybe even great. This is especially true if you do not have the opportunity to expose your knowledge at conferences and in print, or if you can use them as a reason for further education and career enhancement. But, certifications are no substitutes for experience. Every one of us probably knows someone who has a CISSP but zero practical experience. Or we know people who seem to be professional “certification test takers” on someone else’s dollar. It doesn’t make someone a bad or useless person. But being “certified” and having experience is not the same thing.

The bottom line on all of this is that our history is important because it is a source of knowledge through experience. And the ability to apply knowledge to a new problem, the ability to know the rules and know when to break them, is — as Richard Thieme has pointed out at some of our Forums — what helps us be more effective in our vocations and exposes the expert as an expert.

Fred Avolio is a member of the Institute faculty. Write to him at