Building security by making holes

Net Insider

Last month I got a call from the folks at VanDyke Software Inc. They wanted to chat about what needs to go away to ensure enterprise network security.

Their list was, as one might expect, self-serving in some places (they sell software to fill some of the holes they think need to be created). But their list got me thinking about what else would be good to lose in the quest for a safer Net.

Here’s VanDyke’s list of things to lose: 1. Non-NT versions of Windows (95/98/ME); 2. Password authentication; 3. Telnet; 4. Cleartext logon to any root or administrator account; 5. FTP (except in some cases, anonymous FTP); 6. Failure to provide end-user training in basic security policy and procedures; 7. IT departments fighting against the proliferation of wireless network access points; 8. Government studies on how to secure the Internet.

The last one might not be quite politically correct, and I don’t think they meant it literally. But, so far, such studies have been more feel-good exercises than meaningful guidance.

The rest of their suggestions make quite a bit of sense, even though most are fairly obvious.

Security 101 says to rid your network of anything that uses clear text passwords, and that is what suggestions two through five are all about. In spite of this being the first thing you should learn in network kindergarten, far too many networks are still being managed using good old telnet. Suggestion two goes a bit further to suggest using some additional logon techniques such as biometrics or token cards – a very good idea for critical systems.

Even though current-generation Windows systems seem to be charter members of the critical-update-of-the-week club, the older versions give “porous” a bad name – it’s past time to get rid of them.

Pretending that users will understand the importance and techniques of security without training is being in denial, at best.

And it’s far better for the IT department to be on the forefront of installing wireless networks so that it can be done in a secure way. Wireless is just too useful to assume that an IT department dictate against it will stop progress.

The VanDyke list is a good start, but I’d add a few things to it. For example, only half in jest, I would lose firewalls. They just get people thinking that they don’t have to practice good security hygiene. I’d also lose any network address translator that was installed for security reasons – NATs provide no meaningful security and make deployment of software innovations much harder.

If I couldn’t lose “national security” as a network security driver – it’s just too important – I would lose it as an excuse to shred what is left of individual privacy in the workplace and on the Internet.

Finally, losing the Digital Millennium Copyright Act would be the best thing that we could possibly do to improve the security of our systems and networks.

Disclaimer: Harvard’s museums are full of things that people lost, but the above suggestions for more museum pieces are my own.

Bradner is a consultant with Harvard University’s University Information Systems. He can be reached at