The following text is copyright 1999 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

The absence of network security

by Scott Bradner

"There is no such thing as a secure computer network." The New York Times said that a week ago and if the New York Times says something it must be true. But do protocol and applications developers understand the implications of this?

Computer networks almost by definition can not be, in themselves, secure. The aim of computer networks is to facilitate access to computer-based recourses. In order to do so they transport information from one place to another, generally with a user or two somewhere along the line. Users are a problem in the security world. They forget things (like passwords). They get frustrated at the imposition of complex security procedures and circumvent them to make their lives easier. They loan their friends their accounts. And too many of them think they are underpaid, overworked or underappreciated so are potentially corruptable. It sure would be a lot easier security-wise without users.

Anything you do to make the users' lives easier has security implications. For example, if you allow a remote user access to the corporate servers you have to open a door that other remote people may be able to exploit. Or if you run an email system that can transfer programs or macro-filled documents you are opening a barn door.

But it turns out that a major problem is the attitude of protocol and applications designers. In the IETF we now insist that all working groups keep security in mind as they design their protocols but even there frequently security is reluctantly added at the end rather than designed in from the beginning. I say reluctantly because I keep getting the response "my customers are not asking for security" when I ask why a working group has not yet considered security. It has sometimes been quite a fight to get working groups to seriously worry about the issue.

If its this hard to get secure protocols within an organization that has made security a specific goal it seems to be almost impossible in commercial applications development organizations. Features are added to programs seemingly without any thought of the security implications.

This is not going to be easy to fix. Security is hard. Some of the people who would exploit security holes are very smart (if more than a bit immoral). They will find any small chink in the armor and unless the developer is a real security expert it is hard to see a chink when you are programming one in. The problem is made harder because of the easy to run exploitation scripts that get widely distributed. But it must be fixed. Companies must get security expertise into their software development groups and users must use the resulting security tools or the Internet bubble may just burst in a very ugly way.

disclaimer: Harvard has seen many bubbles come and go but the above worry about this bubble is mine.