Guru Bill Cheswick spoke with the about 50 audience members about the security and networks and mapping. The second edition of his book, Firewalls and Internet Security, is about 80% done, and he and Steve Bellovin have added Avi Rubin as their third author.
Some security insights from his talk include using genetic or AI analysis of security information, throwing away the data you understand and analyzing the rest; intrusion-detection systems' main problem is false positives; firewalls are good for unsecured hosts but are not a substitute for host-based security; using older well-understood protocols, read-only directories, and chroot-based jails to limit access.
Cool things on the horizon include backscatter, where by listening to the death screams of denial-of-service attacks you can find out who's being attacked and how often. One attack he sees as possible in the near-to-mid future is an attempt to take down the Internet; the root DNS servers are constantly under some form of attack, and people try to tap or break flows into and out of major routing providers. Someone asked about a truck bomb, but Ches discounted it as being unlikely to have any real international affect.
Most people are security-conscious and are using ssh instead of telnet. However some people use the same ID and password for insecure services (like POP, IMAP, and FTP) as they do for their shell account. As we saw at the Works in Progress sessions yesterday, this leaves passwords sniffable over wireless networks. However, ssh has its own set of problems; it's big and has a lot of features, which means complexity, which leads to problems. There are also several CERT advisories against it. To mitigate the problems, he only uses protocol version 2 and usually uses OpenSSH on Unix. Audience members suggested SecureCRT or MindTerm for Windows NT clients.
Asked how he would set up a new network from scratch, he said he would use FreeBSD secured hosts, ssh and very limited NFS internally, use one-time passwords, have a honeypot, use an intrusion detection system, and block ICMP. He doesn't have a good clean solution to the mobile-users problem because IMAP and POP send clear-text passwords. Possibly tunnel mail through ssh to home (secured) systems, or IPSec on the mail server, or a web mail client using https.