Back, this time for real (I hope)

With summer coming up, time to get the old blog posts a rolling again.

I have a nice, lengthy post coming up, courtesy of a review we just got from a journal (a good one too which makes it even more sad). The single review was in response to our paper examining public versus private firewall rules which asked the simple question, do you really gain that much by keeping your firewall rules private. Hint: the answer is way less than one would think.

Anyone, onto the money quote from the reviewer:

Firewalls are generally considered a hack, not any real guarantee of security. A backstop. Do we need to analyze this hack with such loving care?

Wow, just wow. One would be hard pressed to come up with a better example as to why industry ignores the security community.

Firewall Complexity

It appears that our work looking at firewall complexity in the most recent ISSA Journal is nicely coinciding with work being done in industry. Secure Passage just released a survey coming to roughly the same conclusions that we did albeit focusing primarily on Fortune 1000 companies whereas our survey was more broadly based.

Of particular note, the top two most shocking findings from the Secure Passage report:

Top 10 Shockers Revealed by Respondents:
1. 73 percent think firewall rule bases are too complex or out of control
2. 59 percent feel that a lack of management tools makes policy management difficult

Living firmly in the land of academia and hence being able to speak from the ivory tower, these works should be a huge wake up call for how security research should proceed. All too often in security research, the perfect becomes the enemy of the good but I think researchers forget that easy to use security (yes, Virginia there is such a thing) offers a huge benefit to the overall health of the Internet ecosystem. Certainly, there is a need for high end, complex systems such as for DARPA / etc. but by in large, complexity is not a friend of security.

Moreover, I do not think the problem is one of building a better interface for the existing tools. It is a general philosophy where complexity is viewed as an informal indicator of correctness or completeness. Unfortunately as my students can attest, try publishing something novel but not terribly complex and the results are often less than heartening. Perhaps that is best left to industry but certainly these surveys attest to the security elephant in the room that we know things are bad and really can not do too much about it*.

Hat Tip: Athena Security which has a tool for improving firewall complexity Athena FirePAC

On spam and publicity

As one transitions later in the world of academia from naive, newly minted junior professor to slightly older but still naive junior professor, the opportunities for service become quite numerous. Recently, I have served / am serving as the track chair or publicity chair for several conferences. After having surveyed the landscape for various lists, I have several definite preferences. Keep in mind that this is network-centric and individual experiences may vary.

- The DB World and ACM SIGOPS method are very, very cool. Plug in conference info into a web form and voila, instant posting at an easy to recall location.

- The WTC form is not a bad outlet with the web output being checked before being sent out. This is nice but the form needs a bit of work as it could very easily send out multiple copies.

- The good old standby of tccc is slowly getting over run with everyone and their brother advertising Calls for Papers. Being a member of the list and being in the position of track chair and publicity chair, I have seen things from every angle. Not getting enough papers or getting nervous, one more CFP into the void. *sigh* yet another CFP from that same conference, yeesh.

There is a fairly cool effort that my recent spamming on lists as publicity chair for a conference must solicited an e-mail, WikiCFP. Looks cool and yes, we will be posting our conference there too.

PS For any publicity chairs in the networking area, send me a note and I can give you a definite run-down of pretty much all of the major mailing lists :)