Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get...
Transcript of Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get...
![Page 2: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/2.jpg)
WARNING!!!
Some of this (just some of it) istongue in cheekYou figure it out!
![Page 3: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/3.jpg)
Who?
• Who am I, and how did I get here?– Security products designer since 1989– Wrote the first commercial firewall product– Designed an early VPN that didn’t succeed– Early innovator in IDS market– Today: consultant, industry analyst, farmer,
horse-trainer, senior analyst for TruSecure,teacher, writer, etc, etc.
![Page 4: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/4.jpg)
So What’s This About?
• “In the beginning… ”– If you grow up around historians, you’re
doomed to become one!• Computer Security, as an industry, has
a lot of hype (always something new!)– If you know about the evolution of a
technology, can you tell something aboutits future?
![Page 5: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/5.jpg)
Who is this guy?
Dave Presotto,Bell LabsFor most firewall stuff, it turns outthat “Dave was there first”
![Page 6: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/6.jpg)
Earliest Days
• Nobody has determined for sure whocoined the term “firewall”– Gene Spafford wants to, but Cheswick
says he’d heard it used a long time beforeSpaf got into security
– Brian Reid may be the originator, but Briansays he thinks someone else used it first
– “hackers” (movie) 1983 uses “firewall”.. Lost in the mists of time.
![Page 7: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/7.jpg)
Round 1: The Players
• The AT&T guys– Dave Presotto– Bill Cheswick– Steve Bellovin
• The DEC gang– Brian Reid– Jeff Mogul– Paul Vixie
![Page 8: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/8.jpg)
The AT&T Gateway
• Originally built by Dave Presotto andFred Trickey– Taken over by Bill Cheswick in 1987– Definition of firewall: “A single point
between 2 networks where all traffic mustpass. Traffic can be controlled and may beauthenticated. All traffic is logged.”
– Described by Cheswick and Bellovin in1990 USENIX proceedings
![Page 9: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/9.jpg)
The AT&T Gateway
Internet CorporateNetwork
VAX 11/750w/2
Interfaces
Users can onlyaccess internetvia circuit relays(proxyd)
PtelnetPftpP...
![Page 10: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/10.jpg)
The DEC gang
• Brian Reid had “the internet disease”– DEC was connected at 3 places (Palo Alto
first, Cambridge second, DC third)• Most of these connections were “gatekeepers”• 9600 baud was the highest (initial) connection• 56k in 1987(?)• Upgraded to T1 in 1988
![Page 11: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/11.jpg)
The DEC Gatekeeper V1
Internet CorporateNetwork
Systemw/2
Interfaces
Users log in, and canreach the Internet
![Page 12: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/12.jpg)
The View
• “Firewalls are barriers between ‘us’ and‘them’ for arbitrary values of ‘them’”
-Steve Bellovin
![Page 13: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/13.jpg)
The First Policy
• “Allow anyone “in here” to get out, butkeep people “out there” from getting “in”– This may be the only firewall security
policy that has ever been used (barring finedetails)
![Page 14: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/14.jpg)
Round 2: The Newbies
• Marcus Ranum starts working at DECDC late 1988
• Jeff Mogul at DEC Palo Alto startsscreend
• Geoff Mulligan at DEC Palo Alto startsthinking about firewalls
• Bob Braden (ISI) starts looking at“Visas” under DARPA funding
![Page 15: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/15.jpg)
The DEC Gatekeeper V2
Internet CorporateNetwork
Systemw/2
Interfaces
Users log in, and canreach the Internet
Systemw/
screend
Some trafficrestrictionsapplied to“knownbad stuff”
![Page 16: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/16.jpg)
Round 3: Break Out
• Fred Avolio assigns Marcus to “build afirewall like the one in Palo Alto”
• Marcus Ranum instead designs “nouser” firewall– Premise: 99% of security problems involve
having a user logged into a system– Therefore: if the user can’t get on the
system, the security will be much better(Dave Presotto was way ahead on this point)
![Page 17: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/17.jpg)
Firewall Services
• USENET news• FTP• Telnet• Mail (DNS)
![Page 18: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/18.jpg)
Round 3: Break Out
• Geoff Mulligan starts writing what (todaywould be called) a “stateful firewall”– Track outgoing connections– Allow incoming responses– Keep state at IP level
![Page 19: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/19.jpg)
Product
– Marcus Ranum’s firewall goes live mid-late1990
• Rolled-out internally to Cambridge• Not adopted in Palo Alto
– First documented case of firewall users refusing toadopt a more stringent policy and blockinginstallation of a security technology through use ofoffice politics or passive-aggression
![Page 20: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/20.jpg)
Product
– Ranum’s firewall sold to Dupont, Jun 1991• $75,000 + install
– Name:• Packaged Internet Gateway (PIG)• Screening External Access Link (SEAL) (Fred
Avolio came up with this one)
![Page 21: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/21.jpg)
The DEC SEAL
Internet CorporateNetwork
Gatekeper
Gatew/
screend
MailHub
Users have tointeract with aproxy on thegatekeeper Standard
apps
![Page 22: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/22.jpg)
SEAL Facts
– All told the SEAL was less than 10,000lines of code
– User interface was “vi(1)”– Took a total of about a week to write– Marcus always felt guilty for throwing more
hardware at the problem than wasnecessary
• If you recall, DEC sold computers not software- being hardware-heavy was a plus
![Page 23: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/23.jpg)
Round 4: Emerging Market
– After the DEC SEAL there were a numberof products coming to market
• Raptor Eagle (founded by Dave Pensak, aresearch scientist at Dupont’s facility where thefirst SEAL was installed)
• ANS Interlock
![Page 24: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/24.jpg)
The Firewall Toolkit
• Marcus Ranum designed anddeveloped for DARPA on behalf of TheWhitehouse– Modular set of proxies for facilitating
firewall-building– Code made available October 1, 1993– First sold to Dun and Bradstreet October 2,
1993
![Page 25: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/25.jpg)
The Firewall Toolkit V2
• Added http proxy (Peter Churchyard)• Productized into TIS Gauntlet firewall
– Added character-based user interface– Added documentation– Added BSDI-based system configuration– 2 floppy disks; $25,000
![Page 26: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/26.jpg)
The Old School Guys
• Meanwhile DOD is trying to buildsystems (they call them “guards”)between classified and unclassifiednetworks– Lots of Orange Book concepts– Problem is how to automatically
“downgrade” classified material– The DOD researchers are getting left out
![Page 27: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/27.jpg)
The Old School GuysRetrench• Secure Computing (Sidewinder)
– BSDI-based with “domain typeenforcement”
– First firewall to market using massive hype … But otherwise another proxy firewall
• Harris’ CyberGuard– Proxy firewall built on a secure platform
(based on B-1 target operating system)
![Page 28: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/28.jpg)
More Commercialization
• Several other firewall companies appearon market– At least 2 are rip-offs of firewall toolkit code
• One goes public, gets bought, and its foundersget rich
• The other gets bought (and its founders getrich)
![Page 29: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/29.jpg)
The Israeli Connection
• 2 Israeli guys (Gil Shwed, ShlomoKramer) arrive at TIS Glenwood– Try to sell Steve Walker and Fred Avolio a
prototype firewall they call “Firewall-1”– Unable to locate a US reseller they started
their own company: CheckPoint
(They did OK. Gil’s worth about $300million, now)
![Page 30: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/30.jpg)
CheckPoint Eats Lunches
• CheckPoint’s early “stateful inspection”didn’t actually do much– So they sold the product based on its
performance and flexibility– Security began to take second place to
packets per second as a criterion
![Page 31: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/31.jpg)
The Israeli Slam
• A sales rep from Raptor (we think…)starts a rumor that CheckPoint isbackdoored– This craters CheckPoint’s federal/DOD
sales– NSA has a team examine the product;
further weirdness happens• “Checkpoint Claims”
![Page 32: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/32.jpg)
The Hardware Guys
• Once firewalls had become “a market”the hardware guys stepped in– Watchguard– Sonic Wall
• Premise: Fast = Good– Security permanently takes backseat to
packets per second
![Page 33: Tales From The Early Days of the Firewall - Marcus J. Ranum · Who? • Who am I, and how did I get here? – Security products designer since 1989 – Wrote the first commercial](https://reader033.fdocuments.us/reader033/viewer/2022051802/5aea6c3d7f8b9ab24d8d5f86/html5/thumbnails/33.jpg)
Today
• Which brings us to today!– With rapid-spreading worms on the rise a
good layer 7 firewall is important again!