wrong tool

You are finite. Zathras is finite. This is wrong tool.

The Idealized Firewall

by 1 Comment

2014-10-12_1508

 

When I joined Juniper, my interview was very funny because I knew nothing about networking or security. Well okay, I could draw clouds that had arrows pointing to each other and I knew the basics of sockets, but nothing like anyone who actually knows networking…

That’s what has made the job so much fun. Applying 15 years worth of experience to learning a new problem domain…

A specific challenge, I had was how to think about a firewall, in particular what exactly are the functional elements of a firewall that transcend any specific implementation.

A diagram I came up with that has had surprising predictive power is what I am sharing today.

Basically a firewall has three layers.

Physical Layer

Starting from the top, we have a physical layer that has packets come in as a rain drops. I’ve already talked about rain drops and streams, and this lowest layer is what handles the packets. This is a physical network layer where cables are plugged into a firewall device. Just above the packet flood is a load-balancer that ensures that packets from similar flows end up on the next layer at the correct processing unit.

Cheap Computational Security

Cheap computational security is what I have been calling security that can be done very efficiently,  has to look at a relatively bounded number of packets and can be assisted with hardware. This is typically what we have historically called “L4 Firewall Security”. Things like ALGs etc are implemented in this layer. This layer is able to take the packet flood and turn it into a stream before the security processing begins.

Because cheap computational security is implemented in terms of flows, a series of packets turns into a flow and then we start doing security on it, abstractly we can think of thousands of individual threads each handling a single flow. Obviously this is not how we would implement things, but is a useful mental model.

This mental model is particularly useful because it explains why the prior layer must load-balance the packets. Essentially using packet only information the physical layer must direct packets to the right thread processing the right flow.

Because the physical layer can make a mistake in load-balancing, this layer is able to detect the mistake and forward the packet to the right cheap security element.

Once the cheap computational security is done, then packet is forwarded to more expensive computational security if that is appropriate. That forwarding goes through yet another load-balancer whose purpose is to find either a lightly loaded computational element or send more packets to one that is still processing.

Expensive Computational Security

The final layer in firewalls is expensive computational security. This is stuff we have historically called “L4-L7 security services” such as UTM or SSL forward proxy etc.

This layer expects to receive a stream of packets and typically takes a lot of CPU and Memory resources to perform the operations that need to be done to detect security breaches.

Again this layer can conceptually be thought of a series of distinct computations on independent flows.

Final thoughts

What I described isn’t a firewall per-se, it’s just a useful mental model for how to think about firewalls. And in particular, to understand the hardware trade-offs in designing firewalls.

 

 

Learning Rust

by Leave a Comment

I recently stumbled on to the Rust programming language.

What struck me was the promise of safety and performance – a C for the rest of us is the customer pitch.

And indeed Rust is a nifty programming language that tries to bridge a gap between managed code and unmanaged code. Managed code is code that has system managed memory, aka garbage collectors, and unmanaged code is code that relies on the programmer to manage the code directly.

Conceptually what they are doing is using the type system to enforce safety. This restricts what kinds of things you can do with pointers, but if the type system forbids certain activities then that’s okay and your program can fit into that model that’s okay as well.

There are papers from 15 years ago that explored this kind of concept: CCured: Type-Safe Retrofitting of Legacy Software – Rust almost represents a natural evolution of this thought process – don’t try to make an unsafe language safe, let’s try to make a language safe while retaining the ability to manage memory directly.

What is intriguing about Rust and what differs from the papers I remember reading so many years ago when I was a student at Stanford is that they are tackling the problem differently. Instead of asking: How do I make C safer? They are asking: How do I make it easier for Ruby programmers to write code that has memory that is unmanaged? Essentially they are posing the question – do we need garbage collectors at all? And if we don’t then that may have profound implications for how code gets written.

And as it turns out that the problem of enabling Ruby programmers to write unmanaged code is far more important to solve than the problem of making C safe, and I might even argue tractable.

What is fascinating is that since the early late 90’s the need for a language that fits between the need to actually manipulate direct memory regions and completely managed code remains and that space needs to get filled  and Rust is a credible player in that space.

 

 

Rain Drops and Rivers in Network Firewalls

by Leave a Comment

One of the funnest parts about having a job in a industry you know nothing about is that you can ask really basic questions. Those questions allow you to build mental models that you can then use to learn about an industry and perhaps if you are extraordinarily lucky and pick the right time and place make an impact on an industry.

What follows are really basic insights, nothing profound here…

When I looked at Firewalls, the networking part of the firewall was very mysterious. Most of the value was in security, but a lot of the hard-back-breaking work was in integration with the network. Especially at scale the network integration was extraordinarily important.

At first I thought it was about protocols. And there is some truth to that but a lot less than we all think. The need to integrate in line with thousands of protocols is absolutely a challenge and a barrier to entry but not the real source of the challenge.

Maybe a different way to express my comment is that the protocol integration challenge is a signal that there is something going on there that is causing complexity, protocol integration is a symptom not the cause.

And my latest way to express the problem is the following:

If you imagine an IP network it’s a flood of packets like raindrops falling from the sky. And at every hop, decisions are made on a per-packet basis.

But security can not be implemented on a per-packet basis. You have to look at a large number of variable packets. The more complex the security system, the more packets that need to be looked at.

The challenge with firewalls is that you need to turn the flood of packets from millions of Alice’s, into little streams of packets that you can then inspect and once done inspecting flip that stream around into packets that the millions of Bob’s are expecting and send them out. Later on you have to be able to get packets from a specific Bob and correlate that packet with packets you received from a specific Alice talking to that specific Bob , turn Bob’s packets into a stream, inspect the packets and send the packets back out to the right Alice.

And – oh by the way – Alice and Bob must never know that you did that because the protocols may not allow that.

I have this image of water drops coming in one end, you enter the firewall and they turn into streams, and then they leave the firewall as raindrops the other side. And this image is remarkably resilient to explaining many things about how firewalls work and why some things in firewalls are easy and somethings are very hard.

And the nice thing about this model is that it explains why protocol processing is so crucial … without the ability to process a protocol it’s impossible to make the rain drop to stream to rain drop transformation correctly and because you are looking at all of the rain drops trying to find a bad guy, protocol completeness is crucial – skip a protocol and that is the door way for the bad guys.

 

 

Impressed with Yahoo Mail

by Leave a Comment

Over the weekend, I decided to finally wrest control from the crap in my Yahoo Inbox. Because of my willingness to sign up for any service, my inbox had escalated from a small number of emails to over 18k unread emails since 2009!

Yahoo’s decision to give unlimited space made this worse, the caps on storage would periodically force me to get a handle on things, and now … well … now the Inbox could just grow and grow and grow…

Given my Inbox dates from pre 2000, more or less when yahoo mail started, this exercise filled me with wonder. Would Yahoo still be able to serve up my email? Would I find curious pauses in my email as I scanned further and further back in time? Would email just disappear? Would those emails from 1999 be gone?

Turns out that Yahoo handled my searches through time wonderfully. And more importantly I was able to find some memorable old emails from my friends from almost 15 years ago.

My inbox was probably initially served off of the original infrastructure that Yahoo made available to customers in the 1990’s. To see the data still being available was impressive. Being able to store and retrieve 15 years of email correctly, given the data center migrations, storage system upgrades, infrastructure upgrades, CEO turmoil is a tribute to the quality of the engineering team at Yahoo.

 

 

Am an Appearance Conscious Asshole

by Leave a Comment

No longer a Technology Conscious Prick

Just bought my first iPhone (iPhone 6 plus) after years of Android.

Not clear if I am delighted yet.

Scheduled some time with a stylist …

Lambda C++

by Leave a Comment

After a large time gap between large C++ systems, been catching up on the language. Feels like meeting a high-school friend who you didn’t friend on Facebook.

One of the things that got me to realize that this was not my childhood’s C++ was the existence of lambdas.

At first, I was like: EWWWW… First we had Java envy and now we have Scala envy… does anything ever change.

Except now that I am starting to dig into this little feature, the fact that you can write this piece of code is wicked convenient:

vector<int> v;
v.push_back( 1 );
v.push_back( 2 );
//...
for_each( v.begin(), v.end(), [] (int val)
{
    cout << val;
} );

My personal frustration with using STL may be finally overcome…

The real story behind net-neutrality?

by Leave a Comment

There is a lot of dialogue about net-neutrality, what isn’t really discussed is this problem:

Jeff Reading, a communications director for Mayor Ed Murray, told MyNorthwest.com that the city wants people to limit their “non-essential mobile conversation” so that cell networks can stay unclogged in case of emergencies.

Basically the mobile internet was not built to handle video and the huge volume of images that we’re creating.

Everyone involved in creating rich media applications knows this or should…

There is a debate raging over how do we pay for the necessary infrastructure upgrade.

This is a classic IT vs Business Group debate with no CEO in charge to make a decision. In a traditional company the business team wants something out of IT, and IT is happy to provide as long the business group provides the budget … These debates go on for months until someone either finds another way to solve the problem or someone caves.

In a more socialist country, the state would just foot the bill and we would have better pipes. In our less socialist country, corporate entities argue amongst themselves and appointed officials make decisions based on interpretations of the law that result in further litigation that ultimately result in someone paying the bill…

The basic problem is the following:

  • The content management companies and content distribution companies want to force IT to pay for the bill from their budget
  • IT wants to get a piece of the action and wants the content management businesses to pay more for the infrastructure build out.

And billions of dollars of wealth for the owners and senior managers of those companies are at stake. This will take a while to resolve. The infrastructure build out to support the new network is going to be colossal. We are going to need new handsets, towers, gateways and backbones and all of that is going to be very expensive to replace and upgrade.

The one company that is taking an orthogonal point-of-view to this debate is Google. Google is basically telling IT: Screw you… if you won’t build it we will… And so we have Google Fiber.  And Google’s action may force traditional IT to pay for the upgrade through internal operational optimization rather than new sources of revenue … Proving to me, at least, Google is one of the most interesting companies on the planet.

 

 

 

 

Was a technology conscious prick

by Leave a Comment

http://www.theonion.com/articles/iphone-6-plus-vs-samsung-galaxy-s5,36969/

Now planning to become appearance conscious asshole.

 

Debugging an archaeological find

by Leave a Comment

When confronted with a bug in a piece of software whose authors are lost in the mists of time, and whose internal workings are opaque and mysterious, debugging can be a challenge.

But that’s why we became engineers, we like challenges.

The first problem is to understand what the nature of the bug is. Typically you get some crash that has a signature that suggests that something went wrong in the machinery of the ancients.

Our first reaction, because we are human is to cry out:

That’s not true. That’s impossible!

How can the machinery of the ancients be broken? It never breaks!

The first challenge is to understand the nature of the breakage. Sitting in a sea of memory with no clue what is going on…  you have to begin the process of sifting through the code and the memory to understand what exactly has happened. Not what the bug is, but what the sequence of events that occurred that produced a crash.

The goal is to create a hypothesis that explains how the crash occurred, not the why, but the how.

There is one strategy that is interlinked. The first part is to start reading code and analyzing core files, and looking to see if similar bugs got reported in the past and got swept under the rug. The second part is to desperately and frantically try and reproduce the bug.

Essentially what you are trying to do is gather experimental evidence to guide the analysis of the software and the ancient bug reports.

Once you have figured out how the bug occurred eg: memory got corrupted and that resulted in this set of instructions to execute, the next step is to begin the process of how.

This turns out to be both trickier and easier. Easier because you now know how the crash happens. Trickier because you know need to understand an increasingly larger scope of the system …

In the case of corruptions there are at least two possibilities: structural or wild.

A structural corruption is caused by the code that manipulates the data structure … This is easy because the problem is localised.  Tricky because as an archaeoligst you may need to go several layers away from where the crash occurred requiring more analysis to follow the code all the way to the source of the flaw.

More inelegantly, there is a core data structure that is busted, there are other data structures that are related to that data structure, either as inputs or as outputs, being able to see how the dependent data structures look as compared to the corrupted one can guide your investigation. You are looking for the source of the corruption and seeing the input and output data structures can tell you where to start looking depending on their state. Sometimes there are no input and output data structures, just lots of dependent ones but the principal holds.

In this case you want the testing to get narrower and narrower to find the bug faster and in a more focused way. As you get a better understanding of the code and the processes and the internal data structures the testing goes from being – use a thermometer to use an MRI…

Wild corruptions are caused by two unrelated pieces of code causing each other harm. Some random piece of code is causing the ancients code to get fubar’ed. And if the code is vast and large, understanding where that can happen can be hard but not impossible. To attack that problem you a useful approach is to do a brute-force attack on the code to see what combination of features executing in parallel or in isolation can cause the bug. Your goal is to find the places that are running and see how you can find the one piece of code that is doing the wrong thing. This is why reproduction of the bug remains the single most important process in debugging archaeology.

The nice outcome of this process is that in the end the understanding of the mysterious ancient technology is revealed. And with that comes a moment of personal satisfaction. You are now one with the ancients.

And then a desire to rewrite their code overcomes you… and then you too become a new ancient one….