Wednesday, 10 October 2007


A long long time ago, when I was in short trousers and sandals, a spotty bespectacled youth named William invented some software named Windows. Or he stole it from his friend Stephen, depending on the version of events you prefer. Whatever, he made a bundle from it, and his vision of a computer in every home was well on its way to bearing fruit. Now, there may not be a computer in every home, but on average, we must be approaching it. I can count 6 from where I'm sitting (in my home), and there are others in other rooms. Those are just the PCs. There are computers in our phones, watches, cookers, boilers and cars. In short, they are everywhere. They have always grown up in the most convenient way possible.

In the 50s and 60s, computers filled whole buildings and data was kept in vast underground storage facilities on reel-to-reel tape. In the 70s and 80s cassettes and disks were born, and in the 90s and today, hard disks, optical disks, etc... The capacities are increasing as the size decreases. The same goes for memory, Moore's Law stating that the capacity of chips doubles every two years - and whilst we're almost at a stage where that can't possible keep happening due to physical limitations, quantum computing is now very much a reality. It's all pretty amazing how far we've come in such a short time, but that's mainly due to the vast sums of money to be made - young William now being the richest man in the world and everything.

At around the same time as Bill Gates brought computing to the masses, a company in San Francisco was switching on to the fact that these computers needed to be connected to each other. At first, Cisco Systems built dedicated Unix devices to take the routing load off machines passing messages around the internet. Where one machine had been sufficient for a whole department, government or university, now multiple machines were to be found in each physical location, and routing was becoming more complex. If each machine was to figure out it's own routing, it would detract from its core function. Routers were a prime example of a technology of its time. Routers are still used everywhere on the internet, even in my house I have one - I need it to connect my many PCs and servers to the internet.

Routers have become much smaller over time of course. I wonder if we couldn't build them back into the machines again now they are so trivial, but Cisco has cleverly made their functions suitable for devices which sit at the perimeter of networks - controlling ingress and egress, and sometimes even access. Quality of service is a neat idea which keeps routers firmly in and of the network. Spanning-tree, although horrible, also keeps them out there. VLANs, BGP, you name it, if it appears on a router, it's there not just as a technical feature, it's a business ploy too.

This is the reason I believe there is no lasting reason for firewalls in our networks, or many other network devices in fact. I hesitate to say this having had a nice couple of messages from Richard Stiennon this week, but this has always been my stance and I'm sticking with it. Firewalls can be built into routers, so could IDP, and any other UTM type features. The hardware box which sits at the perimeter, your router, can handle all of this on very little hardware. With your routers and switches properly linked and managed, you shouldn't really need any firewall capabilities anyway.

Eventually then, these devices could be part of every machine, controlled from a central point - I wonder if there's a new William who will do that one day? Could it be possible to have such security at the heart of an operating system? The guess the point of this is, every device we put in our network runs on a computer. Every computer we put in our network could run the devices, and if it were powerful enough to do so without slowing down, it would be a far better way of protecting a machine. It's only software after all.

With this kind of thinking, taken to its logical (or illogical maybe) conclusion, we can see that the perimeter disappears. This makes communication between networks far simpler and safer. Imagine a secure DNS server in every machine. No reason it couldn't happen. Firewalls managed by a network administrator from a central point, firewalls which reside on every machine - just an interface on the admins desktop to apply rules. Again, no reason why not. No device is needed to achieve this.

So what of my precious data-security? Can we do that without devices? No, I don't think so, because there are legitimate reasons for having secure, locked, tamper-evident, tamper-proof boxes for keeping keys in. Computers will probably never be that safe. However, by the same argument, will computers ever be built that we will want to run a bunch of security 'device' software on as well as our business processes? What will stop this convergence is the very thing that started it, economics. There will be a point when it is viable to stick personal firewalls on every desktop and have them centrally managed - we are probably there already. What is Anti-virus if not a personal IDP?

If everything that runs at the perimeter can be bundled up tightly enough, we could see the devices disappear. If this pushes the price of computing up too high however, economics will bring devices back up again. So, if the device manufacturers keep the cost of implementing the software high, devices stay, if they devalue, or open source becomes more popular, they go. Of course, when something becomes so popular, open source inevitably becomes a contender. These are the guys to watch out for. Microsoft can then snap them up and build them in, saying how great they are for supporting open source all the way. (Note Oracle doing this with Berkeley DB recently too - in a similar vein).

It seems to me that device based perimeter security is in danger of disappearing because of its own popularity, and it feels like we're on the cusp of this right now. A turning point where we will go one way or the other, and inevitably so once the market picks up in one direction.

I'd hate to see Microsoft monopolise the security market like they have done the OS market, but it would make things a lot tidier, and we could all get on with REAL security, data-centric like.

No comments: