The following text is copyright 2003 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Building security by making holes
By Scott Bradner
Last month I got a call from some of the folks at VanDyke Software. They wanted to chat about what they felt needed to have to go away to ensure the security of enterprise networks. Their list was, as one might expect, a bit self serving in some places (they sell software to fill some of the holes they think need to be created) but their list did get me thinking about what else it would be good to lose in the quest for a safer 'Net.
The VanDyke list of things to lose is:
1. Non-NT versions of Windows (95/98/ME)
2. Password authentication
4. Cleartext login to any root or administrator account
5. FTP (except in some cases, anonymous FTP)
6. Failure to provide end-user training in basic security policy and procedures
7. IT departments fighting against the proliferation of wireless network access points
8. Government studies on how to secure the Internet
The last one might not be quite politically correct and I do not think they meant it literally. But, so far, these studies have been more feel-good exercises than meaningful guidance.
The rest of their suggestions do make quite a bit of sense even though most are fairly obvious. Security 101 says to rid your net of anything that uses clear text passwords, and that is what suggestions 2 through 5 are all about. In spite of this being the first thing you should learn in network kindergarten, far too many networks are still being managed using good old telnet. Suggestion two goes a bit further to suggest using some additional login techniques such as biometrics or token cards - a very good idea for critical systems. Even though current generation Windows systems seem to be charter members of the critical-update-of-the-week club, the older version give porous a bad name - it's past time to get rid of them. Pretending that users will understand the importance and techniques of security without training is being in denial, at best. And, it is far better for the IT department to be on the forefront of installing wireless nets so that it can be done in a secure way - wireless is just too useful to assume that an IT department dictate against it will stop progress.
I think that the VanDyke list is a good start but I'd add a few things to it. For example, only half in jest, I would lose firewalls, they just get people thinking that they do not have to practice good security hygiene. I'd lose any network address translator (NAT) that was installed for security reasons -- NATs provide no meaningful security and make deployment of software innovations much harder. If I could not lose "national security" as a driver of network security, it is just too important, I would lose it as an excuse to shred what is left of individual privacy in the workplace and on the Internet. Finally, losing the DMCA would be the best thing that we could possibly do to improve the security of our systems and networks.
disclaimer: Harvard's museums are full of things that people lost but the above suggestions for more museum pieces are my own.