I went to Infosecurity 2004 last week, with my colleagues, Gilles Gravier and Tim Graves – basically to see what’s what in the wider world of security.

Tim and I’d barely set foot inside the door before being accosted by a lady from Microsoft, asking us whether we would find the bundling of a firewall-by-default with Microsoft Windows to be invasive – I kept studiously mum and looked at the ceiling in the hope of being ignored, as Tim chatted to her for a moment.

Since before I presented my first paper about firewalling in 1995, I had basically considered them essential for any system that is connected to the Net, much as I would not go out in public without trousers (hideous thought) – and so when she did swing around to me and I said:

Well, I don’t actually have any Microsoft systems at home, chiefly because I find the environment rather insular and application-oriented, but if it is any help: my home network is a four-layer cascaded N-tier architecture with personal condom-firewalls on every machine, Layer-2 switching, Network Address Translation and service virtualisation separating each layer, IDS, 128-bit WEP and SSH used for communications throughout[1] – so yeah, I think you could say that I generally approve of firewalls…

…she seemed (er) satisfied by this, and toddled off to find other people’s brains to pick; what flashed through my mind was what’ll happen to the other Firewall and AV-vendors if/when MS start to bundle firewalls (etc) by default with Windows?

That sounds awfully familiar from any number of recent newspaper stories.

Anyway: the official work of the day was in watching Paul Fielding pick-up the Trusted Solaris 8 gong from CESG for EAL4 assurance which had the usual warm handshakes and so forth; Tim was being rather queenly about some of the other certifications being handed-out, summarising the certifications as:

• EAL1: “We looked at their marketing brochure …”
• EAL2: “We looked at their user manual …”
• EAL3: “We looked at their white papers …”

…and opined that EAL4 is the point at which certification becomes valuable, as it involves looking at source code and having the authors “prove” that it does what it is claimed to do, and little or no more; even then he only rates EAL4 in combination with a number of protection profiles and other requirements.

Excitement over, Gilles and I went to peruse the freebies (rather few) and revisit old contacts; my sister was coming to dinner that evening, so I escaped early into the embrace of Southwest Trains, running hours late due to signal failures near Wimbledon. In a flurry of platform changes at Clapham Junction I caught an express to Farnborough and fired-up KisMAC to pass the time.

The trip discovered 129 networks, approximately 50% using WEP; this is an improvement over the former 33% WEP usage I’ve found previously.

People are learning. Hoorj!

—
[1] For SunPS Geeks who read this and may recognise the schtick, yes my home network is essentially a linear SDN / Service Delivery Network architecture, as-also described at [pt.sun.com]; it’s a sound architecture, and despite what some marketing people may try telling you it totally is possible to get really good network security on the cheap, if you “know what you’re doing” and configure things sensibly.

Why shouldn’t I implement industrial-strength network architecture at home, especially if I can get it for free merely by deploying the principles that I’ve learned over the past 19 years?