Russ Housley is the first chair of the IETF with a particular expertise in network security. Housley, who runs consulting firm Vigil Security, has been active in the IETF for nearly 20 years and helped write early e-mail security and public key infrastructure standards. Three months into his job as chair of the leading Internet standards body, Housley talked with Carolyn Duffy Marsan about his strategy for bolting better security onto the freewheeling Internet.
What do you hope to accomplish as IETF chair?
My focus as IETF security area director was continuous, incremental improvement of the security of the Internet. As IETF chair, I want to continue with that. I also want to pursue continuous, incremental improvement of the entire Internet and continuous, incremental improvement of the IETF standards process.
What do you mean when you say your goal is continuous, incremental improvement for the Internet overall? Can you give me three specific goals?
Rollout of IPv6 is clearly one of them. Another is rollout of DNS security. And my personal hope is that the SIDR [Secure Inter-Domain Routing] working group leads to security improvements in Internet routing.
Why take on this time-consuming, volunteer job?
[Laughs.] I don't have a good answer for that. I care about the community. I guess that is what it really comes down to. I could only do it because I got a sponsor. VeriSign is giving me a check a month, and the National Security Agency is paying my travel costs. Vigil Security is my own business. It's just me, and my wife pays the bills.
How long do you expect to be IETF chair?
My term is two years, and then I'll make an assessment. It's not fair to ask me three months into the job whether I'll seek another term. My predecessor said it took a year to learn the job and another year to get comfortable doing it. Just as you're getting comfortable, your term is over.
You are the first security expert to head the IETF. Why is it important to have a security expert lead the group now?
Being a good manager and a security guy are not mutually exclusive. Clearly we need someone to continue the security improvements that have been started by [the two previous IETF chairs.] Security is where the Internet has the biggest need for improvement. So I look forward to working with the two area directors that have security as their key focus. Maybe with the three of us, we'll be able to make more rapid progress.
Many of the IETF's original protocols were designed without built-in security. How hard will it be for the IETF to go back and rework these protocols to require security?
Usually bolting security on after the fact leads to an incomplete solution, but that's what we're going to have to have. It's not possible to turn off the Internet today and start up the secure Internet tomorrow. It just can't be done, and no one would tolerate the outage if we could. The genesis of my continuous, incremental improvement philosophy is realizing that we can't turn off the insecure Internet and turn on a more secure Internet even if we had consensus for what that meant.
Do IETF participants have the will to go back and fix insecure parts of the Internet? For example, everyone knows about the lack of security in HTTP, but there seems little will within the IETF to fix the HTTP authentication problem.
That's because in the case of HTTP, and I suspect in many others, there's little agreement about what's the most important security feature to add. When you say that we'll just fix the most egregious things, then you get into an argument about where to draw the line. In the case of HTTP, the biggest concern is authentication and that is primarily solved by [Transport Layer Security]. Why not mandate TLS? That's a very good question. There's not a Web server on the market that doesn't have TLS. Will we have the will to fix the security problems? Sometimes. [Domain Keys Identified Mail] is an add-on to the mail environment that we're developing. The work was done in the security area, but the whole idea came from the applications folks. I think we'll continue to see approaches like that where we can each see the benefits. But it's not going to be a complete overhaul of the e-mail system. Instead, it will be a fix for a particular concern.
Has there been a shift in attitude about security in the IETF in recent years?
Certainly. People think about security now, but for many people it's not the primary reason they are here. They're here to add a routing feature or add a particular capability to a particular application or to improve deployability of IPv6 or something like that.
- +
Process Trip 04/02/2008 13:07:03
Why Maritz Travel revamped key business processes — and how business and IT came together to make it workWhen Rich Phillips became COO OF Maritz Travel about two and-a-half years ago, he sat down and took a hard look at the big industry picture - +
Ticked Off at Tick the Box Mentality 04/02/2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients? - +
Toxic Mix or Bit of a Mixed Blessing? 31/12/2007 10:36:30
“Eye of newt, and toe of frog, Wool of bat, and tongue of dog . . . ” The inter-generational office brew of Boomer, Gen X and Gen Y may not be quite as odious as that of the three witches in Shakespeare’s Macbeth, but even so it makes “for a charm of powerful trouble”"Eye of newt, and toe of frog, Wool of bat, and tongue of dog . . . " The inter-generational office brew of Boomer, Gen X and Gen Y may not be quite as odious as that of the three witches in Shakespeare's Macbeth, but even so it makes "for a charm of powerful trouble" - +
Strategies for Dealing With IT Complexity 24/12/2007 10:30:47
Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business. - +
Hiring Manager: Emphasize Integrity, Attitude 14/12/2007 11:18:07
William Howell shares his hiring mistakes and his secrets for selecting the best job candidates, finding objective references and using LinkedIn as a recruiting tool.William Howell shares his hiring mistakes and his secrets for selecting the best job candidates, finding objective references and using LinkedIn as a recruiting tool.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Strategies for Eliminating .PST Files
Delivering the Power of Choice with Microsoft Dynamics CRM
Best Practice in Building an Integrated Information Management Strategy
Enterprise Wireless WLAN Security
Email Archiving Implementation: Five Costly Mistakes to Avoid
Everything you need to know about email and web security (but were afraid to ask)
Discover the advantages of an open architecture multi-vendor network solution
Mimosa™ NearPoint™ for Microsoft® Exchange Server: Email Archiving 101
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Vignette Announces 2008 Excellence Awards 2008-11-21 10:50:00+11
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 2008-11-20 17:34:00+11
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 2008-11-20 12:06:00+11
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 2008-11-20 12:04:00+11
AARNet Brings 4K Digital Cinema to Australia: First 4K HD Video Signal delivered into Australia by AARNet 2008-11-20 12:02:00+11
Security Inside Out
A security breach has the potential to impact your bottom line, damaging reputation, customer loyalty and profitability. Managing security risks in today's environment requires a framework that extends beyond traditional network perimeter measures to protect applications, middleware, and data infrastructures. Read on to discover how you can create an enterprise security framework to protect your business.
Buying Guides
Latest Products
