Five Networking Pet Peeves

Now that you can e-mail anyone, anytime, anywhere, run significant applications from within an ordinary Web browser, and run your life from your laptop, it's worth taking a step back to think about some of the more frustrating networking problems that remain unsolved. Here are the top five things that get me steamed:

Why can't American cell phones work as well as the rest of the world's?

For those of you who travel overseas, you probably already know this: The United States has the worst cell phone service on the planet. Can you hear me now?

Not only that, but we pay a lot more for our cell calls, and we've blown several opportunities to become more competitive, more standardized, and more in-line with the rest of the world.

Yes, at least some U.S.-based cellular networks make use of the same GSM standard as the Europeans. But our phones run on different frequencies, which means that you have to have dual (or tri-mode, or quad-mode) band radios in your phone.As a result, our phones can be more expensive to make, and they're more liable to break. Plus, U.S. phones are often sold locked to a specific carrier, which limits their markets and keeps prices high, forcing most of us to sign up for two-year service contracts when we want new phones. With the unlocked phones that are available outside the United States, you can easily add features from a variety of third-party providers.

And speaking of lockouts, remember when 300-baud modems were first invented and the phone companies tried to block their use, claiming that they would damage their networks? How quaint that seems. Sadly, we still have some of the same attitudes today with newer devices that are on the phone networks. Skype is trying to get the FCC to unlock its IP phones for American users so that any phone can be used with any VOIP provider.

And to make matters worse, the latest efforts by cell companies to provide high-speed data service are rewriting history once again, with incompatible systems between Sprint, Verizon, T-Mobile, and AT&T networks. When will these guys come together with one single data technology?

Finally, for those of you who travel to Canada with your cell phones, don't forget that you're now making international calls at ridiculously high rates, even though Canada uses three-digit area codes. A short call to my wife from Vancouver ended up being a $50 mistake that I hope to avoid the next time I travel there. There ought to be a better way.Why can't anyone invent secure e-mail that doesn't require an advanced degree to use?

By now, most of us know our e-mail is insecure, and any e-mail that is sent across the Internet is sent in plain text that can be read by someone with enough time, tools, and temerity to do so. So why is it that secure e-mail is still too difficult to use, or that there aren't more simple solutions to secure our messages that even moderately educated people can easily grasp?Given the number of stolen laptops and other types of data theft, you would think now is the time for e-mail encryption. But it shouldn't be so hard, and I dare say that many of you can't even name 10 of your correspondents with whom you regularly exchange encrypted e-mail.

Back in the summer of 1998, Marshall Rose (one of the principal inventors of Internet e-mail protocols) and I co-wrote a book called Internet Messaging about how corporations can exploit e-mail across the Internet. When it came time to write the chapter on secure e-mail, we said: "The state of secure e-mail standards is best described as a sucking chest wound. There are no technologies for secure e-mail in the Internet that meet the criteria of being multivendor, interoperable, and approved or endorsed by the Internet's standardization body."

This sadly remains true today. While there have been some slight improvements in secure e-mail, including such notable developments as PGP Universal, it still isn't a very large list of products. Part of the reason is that standards are still too lax or too numerous, take your pick. Corporate-wide key management is too onerous, making it difficult to make changes and keep your e-mail certificates in synch as staff comes and goes.

And while there are a few solid products to choose from, interoperability is still miserable, and plenty of difficult implementation issues exist. Most products assume that users only own one machine, making it harder to manage e-mail that originates from multiple PCs and multiple operating systems.

Yahoo, Microsoft and others have been working for several years on sender authentication with little to show for it. (Want to read an amusing missed prediction? How about this:"Sender authentication will almost certainly become a de facto standard part of the Internet's e-mail infrastructure over the next few years," said The Register three years ago.)Microsoft maintains a page on Sender ID, just one of the many competing attempts to take control over this situation. One simple solution is to put up a simple Web message form to send secure messages.

Far too many steps are involved to exchange secure messages. You still need to understand lots about public key infrastructure, certificate management, and how your e-mail client works. Until these issues are resolved, secure e-mail will continue to confound most of us.Why can't Microsoft make a more secure Windows desktop?

Have you had enough with cleaning up your Windows OS after some security exploit? Tired of hearing gripes from your users, proclaiming that all they did was surf what they thought was a perfectly innocent Web site before their PC crashed and burned? So why can't Microsoft make a more secure version of Windows to protect us all from these situations?

Give them points for trying: At least Vista and IE v7 attempt to lock things down more than what was possible with XP, something that's finding lots of appeal with IT managers who are considering these upgrades.

But still. Look at what Microsoft did with Vista's firewall. The firewall available on XP (and only with Service Pack 2) didn't block outbound connections, which made it easier for the bad guys to turn your PC into a spam-creating zombie. Vista includes this ability, but it's so difficult to set up and too obscure to configure that you're still better off with a third-party firewall.Just think of the entire software infrastructure Microsoft could eliminate overnight if Windows were more resilient. Anti-spyware, antivirus, personal firewall, anti-phishing tools would all be unnecessary. Nice to dream about, even for just a moment.

Instead, the harsh reality is that corporate IT managers have had to develop elaborate schemes for locking down their Windows desktops, eliminating security weaknesses, and curtailing numerous options that are part of the Windows OS. There's a more secure desktop OS that's readily available today. It's called Macintosh OS X. Too bad that most corporate IT shops can't use it for their bread-and-butter applications.Why can't SSL VPNs include NAC?

Speaking of locking things down, when it comes to network protection, popular wisdom has it that Secure Sockets Layer virtual private networks are the best of the current breed. That's why it's alarming that most SSL VPNs can't really protect the overall enterprise network from all kinds of infected computers.

The current buzzword is Network Access Control, or NAC. This is anentirely new branch of enterprise security that tries to finesse thefact that SSL VPNs are really good at authenticating users, but whenthose users type on infected machines, they have less control and offer a false sense of protection.

NAC is focused on what's running on the endpoint, not just authenticating users. It's a great idea, and it would be even better if NAC was built into SSL VPNs to begin with. While some of the leading vendors such as Aventail (now part of Sonicwall), F5, and Juniper have rudimentary endpoint scanning routines included in their products, other SSL vendors could do a better job of marrying these two technologies.Still, this isn't enough to protect the entire corporate network from a virus-laden laptop that walks into the headquarters and doesn't use the VPN. And laptops aren't the sole issue. What happens when more users begin to make use of smartphones and other PDAs that can carry malware and be another source of infection? Leading vendors such as Aventail have Windows smartphone SSL clients, so that enterprise networks aren't invaded by PDA viruses.

But not every vendor offers this kind of protection yet, and some infection vectors aren't covered, either: What happens when someone tries to compromise a network print server, for example?

Therein lies the dirty secret of endpoint security: If you want complete endpoint protection, you need to upgrade your network infrastructure. If you upgrade your infrastructure, chances are you'll need to add software to each of your endpoints, too. It's messy and far from ideal.

And while we're complaining about VPNs, the most popular VPN client from Cisco can break so many other things on the average desktop that it's often useless. Why can't Cisco write better VPN client software that can get along better with the standard suite of corporate applications? Why I don't want to buy another "security appliance."

The Internet is truly a great place, where anyone can masquerade as anyone else, any application can be installed with little energy, effort, or security, and data can traverse around the world in a matter of milliseconds. But the Internet has grown up into a nasty neighborhood, and some people who live there want to do your corporate networks and other resources a great deal of harm.It's hard to underestimate the malicious scans and penetration testing that's continuously going on over the Net. And while you may not think your business is targeted, by having a public IP address, you're automatically entered into this sad sweepstakes. No purchase necessary, once you have your broadband connection. And I'm not just talking about e-mail spam, either. Now we have blog comment spam, Web forms spam, IM spam, image spam, and probably three or four new kinds that are just being crafted in Estonia or wherever.

To stop all this traffic, we have various kinds of security appliances. The trouble is, you can buy an almost infinite number of devices for this protection. E-mail spam appliance? Check. Intrusion-prevention appliance? Firewall? Check, check. Web applications firewall? Check.

How many firewalls and security appliances does one network need? Aren't we approaching the situation where there are more appliances than users on our networks?

Meanwhile, at the risk of stating the obvious, plenty of wireless access points are running wide open. Too bad you can't buy an appliance to protect you from these exploits.

So how about spending a bit less time buying a new appliance to spend more time and effort to fix the obvious loopholes in what you already have? Now that's a concept I can love.0