Click here to start

Table of Contents

1. Internet Security: An Optimist Gropes For Hope
2. Firewalls and Internet Security
3. Most common question from the press:
4. Universal Answer
5. Why?
6. Aug. 1993
7. In August 1993
8. CERT advisories: 1994
9. CERT advisories, 1994
10. CERT advisories, 1994 (cont.)
11. Many attacks were theoretical...
12. ...and then they happened...
13. There are a lot more players, and on average they are a lot less secure
14. When I started at the Labs (Dec 1987)
15. Now, everyone is on the Internet
16. We've been losing ground for decades
17. Life cycle of a security bug, roughly
18. Yeahbuttal
19. Cost vs. Benefits
20. OTOH, tools we didn't have in 1994
21. Bright spots, now
22. I am optimistic. Good security is possible
23. There are a lot of benefits
24. Financial business models are working
25. And Microsoft...
26. What does good security feel like?
27. The Morris worm: Nov. 1988
28. Some facts to keep in mind: economics
29. Some things we can't fix
30. Social Engineering
31. I need to manage expectations here
32. Software will always have bugs
33. People pick lousy passwords
34. Some facts to keep in mind: users are not security experts
35. Social Engineering (cont.)
36. Another Problem With Strange Programs
37. Managing expectations: Denial-of-Service
38. Wireless passwords
39. Experts cut corners, too
40. I cheated on my authentication test
41. I cheated on my authentication test (cont.)
42. Some principles and tools
43. Security strategies
44. Staying out of the game
45. Defense in depth
46. Layered Positive Measures to Assure Against Unauthorized Use
47. Secure defaults are important
48. Security doesn't need to be inconvenient
49. Some solutions: Hardware tokens
50. One-time Passwords
51. Authentication
52. Principles and tools: encryption
53. Encryption is necessary, but not sufficient
54. Tools: Trusted Computing Base
55. Default services—SGI workstation
56. More default services
57. If You Don't have a Trusted Computing Base...
58. Firewalls Perimeter Defenses
59. Firewalls have their uses
60. Firewalls: Not a panacea
61. Anything large enough to be called an "intranet" is probably out of control
62. PPT Slide
63. PPT Slide
64. Some intranet statistics from Lumeta clients
65. Perimeter defenses don't work if the perimeter is too big
66. Example: Life Without a Firewall
67. It can be done
68. Life without a firewall
69. We need to be able to trust our hosts
70. Secure host technology
71. Secure host technology
72. Routes to root
73. root network services
74. Setuid-root programs
75. Root: The gatewat to privilige
76. Setuid-root
77. So, don't have network services...
78. So, don't have users...
79. Get rid of setuid programs if you do have users
80. Minimize root network services
81. Three layers of defense we might have
82. Chroot
83. Awful stuff you have to do to jail a program
84. Example: a web server highly-resistant to defacement
85. Goal
86. Implementation
87. Other software I have jailed
88. Sample message
89. Sample message
90. Some jail themselves, or should
91. Example: Amazon, Fedex, ...
92. Things are getting better: we have business models
93. Example: Spook networks
94. Talk to spooks: they have security experience
95. Spooks
96. Spooks...
97. Ches's wish list
98. Ches's wish list
99. More wishes
100. Ches's wish list
101. Still theoretical
102. Conclusion
103. Questions