A Clean Slate for Network Vulnerabilities?

An important aspect of network management and potentially the most unpredictable is information security. As the name implies, information security is concerned with monitoring and controlling access to data on a network. This in itself is a daunting task, but companies with a web presence can be even more vulnerable to security breeches.

According to an April 2007, PC World article, eight out of ten web sites contain common flaws that could allow attackers to access networks and steal customer data, create phishing exploits or craft a variety of other attacks. In fact, network security analysis company, WhiteHat, says that 30% of analyzed computer sites contain an urgent vulnerability, such as one that allows direct access to company databases with customer information.

On a positive note, WhiteHat also reports that a type of database vulnerability allowing SQL injection attacks is becoming less common. Fewer than one out of five sites contain this type of vulnerability, but a successful incident can give a sophisticated attacker access to everything in a company’s database. Still, overall WhiteHat’s reporting echoes an increasingly common theme, which is that web-based attacks are growing in prevalence and have grown considerably in the last two years. As web programming grows more sophisticated and complex, allowing for desktop-like applications, it also becomes even more vulnerable. So what is the problem?

The problem “stems from patching the Internet’s security holes,” says David Talbot, Chief Correspondent of MIT’s Technology Review magazine. Talbot explains that,

“The Internet’s original protocols, forged in the 1960s, [were] indifferent to whether the information packets added up to a malicious virus or a love letter; it had no provisions for doing much besides getting the data to its destination.”

Due to this simple structure and the innovation driven by the commercialization of the Internet, a slew of patches arose: firewalls, antivirus software, spam filters, and the like. Talbot feels the security patches are not keeping pace with innovation because not everyone uses the same patches or updates them regularly. So what can be done?

Stanford University researchers think building a new Internet is the answer. The “Clean Slate Design for the Internet” will hopefully make the Internet “safer, more transparent, and more reliable by reconsidering both private and public networks”. Their prototype is a wireless network called “Ethane”. Nick McKeown, an associate professor of electrical engineering at Stanford, says “Ethane” is an obvious fix to an old problem: Rather than allow computers to communicate freely, Ethane would require pre-set communication privileges within the corporate network. That way only activities deemed safe would be permitted.

The Stanford researchers acknowledge that Ethane will not work on the public Internet, but “could offer improvements for private networks”. This would still be a significant benefit for the public Internet because “isolating viruses on corporate networks would ultimately slow their spread on the Internet at large”. Of course, this is really no more than speculation. As Bob Metcalfe, inventor of the Ethernet, points out, “When you’re dealing with infrastructure, in reality, off the Stanford campus, nobody gets a clean slate”.

The innovative work of Stanford University researchers may someday improve information security by giving the Internet a “clean slate.” However, today their work is still no more than a controlled experiment in a clean lab. So, until that day arrives companies must continue patching the Internet’s security holes with the same old filters and firewalls.