No room for improvement at all?
There is really going to be nothing new for firewalls. In fact, a lot of the more-complicated firewall features can actually reduce security, rather than increase it.
How so?
Well, the more-complicated firewall rule-sets can trip users up. Remember, firewalls are tools that you use to stop bad traffic. And how effective they are depends on your skill in using them. And the more complicated something is, and the more feature-sets it has, the more educated you'll need to be to use it right.
And we've seen (organisations not using their firewalls correctly). For example, we find that Slammer occasionally comes through the firewalls even though it is supposed to be blocked by the rule-sets. The reasons are varied. Sometimes it is because people go into the firewalls to open ports they shouldn't be opening. Other times they just remove the whole configuration from the firewalls and reset them back to the default state of "open," which lets everything through. They may do this for only a few seconds before they re-apply the policy again, but that is enough for Slammer to come through. And these things happen partly because of the complexities of today's firewalls. With simpler systems, you are unlikely to make those mistakes.
How important do you think application firewalls will become in the future?
Not very. The application firewall space really is targeted at Web applications. These firewalls are about proxying HTML or HTTP. The thing we have to remember is that no Web applications are bug free. Some have well-known bugs that people can take advantage of. Application firewalls may be able to solve some of these things, but not all.
Let me give you an example of something that happened with me. Not long ago, I ordered a plasma screen online, which was to be shipped by a local company in Atlanta. And the company gave me a six-digit shipping number. Accidentally, I typed in an incremental of my shipping number (on the online tracking Web site). Now, a six-digit number is a small number, so of course I got someone else's user account information. And the reason that happened was due to the way they've set up their user IDs, by incrementing from a six-digit number.
So here's the irony: Their system may be so cryptographically secure that chances of an encrypted shipping number being cracked is lower than a meteor hitting the earth and wiping out civilisation. Still, I could get at the next ID easily.
There is no application firewall that can solve this problem. With applications that people are running on the Web, no amount of additive things can cure fundamental problems that are already there in the first place.
What's security technology's next frontier?
Voice over IP and general packet radio service are going to be the next biggest security issues.
How big?
Several years ago, we were researching Microsoft remote procedure call, and we were talking to the media, saying that that's going to be the next big thing, that all the worm occurrences that we've seen in the past will be nothing compared to what we are going to see happening with RPC. And of course, that was exactly what happened when Blaster and Sasser came along. We are now at the same stage with VoIP and GPRS.
What's the lowdown on VoIP?
VoIP is completely insecure. At the protocol level, there is no encryption and authentication. I mean, I call you, and there's no way for you to verify who I am. I can send a caller ID from the US President, or the CIA, and you won't know who I am. And people can easily hack a caller ID and claim to be whoever they want.
GPRS?
With GPRS, the systems that mobile operators share between each other are largely wide open. Operators have so far trusted each other not to hack each other. While the average hacker from the Internet doesn't have access to these systems, the mobile operators do. And once you get into one mobile operator, you can start attacking the rest of the mobile operators via the backbone that they share. And once hackers compromise the gateway machines, they can then have fun with the internal networks, as well as come in from the Internet or handsets.
Talkback
I found the article with Robert Graham being interviewed on internet security to be both interesting, but also a little annoying. To call these hackers stupid and only thinking of one step beyond the limits set by any type of security is very shallow minded to say the least. Children these days (Not children from the 90's revolution) are fed computer literature and manuals until they cannot see anything but code of all languages, who is to say that these "Kids" cannot, at a tender age write something that could bring down most of the internet with ease and go the extra 5 - 10 steps beyond that Robert Graham says is not possible? If Robert is as narrow minded as this, how many other interent security chief scientists think like this? And it begs the question should they be in the job they are, to under-estimate anyone is silly, to under-estimate the youth of today is VERY stupid indeed!