My name is Avi Rubin. I am a Computer Science Professor at Johns Hopkins University and Technical Director of the JHU Information Security Institute. I came to Hopkins this year from AT&T Labs, where I did research in computer and network security.
How did you gain interest in computer security?
Computer Security first caught my interest when I attended a talk about the Needham and Schroeder protocol by Peter Honeyman at the University of Michigan in 1991. I was a graduate student at the time, and once I saw this talk, I knew that I had found the topic for my dissertation. Honeyman became my thesis advisor, and the rest is history.
Which are your favorite security tools?
SSH is by far my favorite security tool. I use it for remote access and to tunnel all of my mail traffic. It’s nice not to have to worry about the insecurity of intermediate networks or wireless networks.
What operating system(s) do you use and why?
I use OS/X on a Mac. There are several things I like about it. Previously, I had a dual boot machine running Windows and Linux. This was a real pain. The Windows side would often crash, and having to reboot in order to view Office documents was a hassle. All of the virtual machine solutions were too slow to be practical. My Mac never crashes. All of my Unix tools and my research prototypes work on it, and all of my office documents work just fine. I enjoy having an xterm running right next to a Word document. I also like the fact that when a new release of the OS comes out, things actually improve. It’s basically Unix with a great GUI.
How long did it take you to co-write “Firewalls and Internet Security: Repelling the Wily Hacker 2/e“? Any major difficulties?
Steve and Bill were already working in it for quite some time when I joined the project. I’ve lost touch on how long it took exactly after I came on board, but it’s fair to say that it was somewhere between a year and a half to two years. For me, the project was incredible. The three of us sat around a table in a bump space at AT&T and wrote together. We picked each other’s brains and wordsmithed sections in real time. Ches called it study hall. I call it the best learning experience I’ve ever had.
If you could start working on the book all over again, would you make any major changes?
I can’t even imagine working on this all over again.
In your opinion, what are the most important things an administrator has to do in order to keep a network secure?
The most important thing is to read our book! Seriously, though, the first thing an administrator has to do to protect a network is to establish a clear and meaningful policy. Then, they should make sure that it is implemented correctly. Firewall rules should be kept simple. The user should not be vieweed as the bad guy, because if policies are draconian, users will go around them. It is important to keep up with vulnerability announcements and patches. Everything should be logged.
What’s your take on the full disclosure of vulnerabilities?
I think that vulnerabilities should be disclosed responsibly. In the case that a fix is available, there is no point in withholding the information, and it is actually our duty to disclose it. However, there are cases where the consequences of disclosure might outweigh the benefits, and where it is too dangerous to publish a vulnerability. I believe that each vulnerability represents a judgment call.
What can users do to choose a firewall that is right for their needs?
The choice of firewalls is not as important as the configuration of it. Having too many firewall rules will burn you whether you use Checkpoint’s latest product or a free open source package. The decision should be based on what they can afford, whether or not they like fancy GUIs, and how well they understand the product.
Which personal firewalls would you recommend to our readers?
I’d rather not make any product recommendations. We wrote about how to use several of them in the book. The PC versions have functionality that is quite different from the Unix versions. Again, I suggest making the decision on the factors mentioned in my previous answer.
What are your future plans? Any exciting new projects?
Right now, I’m trying to settle into my new job. I just left industry for academia less than two months ago. Academia appears to be a much busier lifestyle, and I’m just starting to get my bearings. I’m really enjoying teaching, and the interaction with graduate students and other faculty is wonderful. I don’t understand how professors ever have time to write books. Maybe that’s what sabbaticals are for.
What is your vision for firewalls in the future?
Firewalls will move into the host, and policies will be set by loading them into distributed hosts over cryptographic channels. At least, I hope that’s what happens. We’ll see.