0:04
Hi folks, Ed Amoroso.
And I would like to talk to you in this video about TCP/IP,
the protocol suite that really is the language of computing.
And I think I've told you before, I'll tell you again.
If you don't understand TCP/IP, you really want to dig in and look, and
we have some suggested readings that you've probably seen us suggest.
We want to make sure that TCP/IP is something that you're familiar with.
It's a whole infrastructure driven by TCP/IP,
the protocol suite and all the attendant services and
utilities that come with what we would shorten to just IP and Internet protocol.
But I want to give you a little bit of a history lesson here that will help you
understand the security implications of this massive deployment
of IP across the world.
If you turn the clock back to the 1990s, and for
some of you may not have been born then.
I was, I was working.
Here's what you had in the 1990s.
Most businesses, government agencies, different groups,
organizations that were running a network,
were using protocols different than TCP/IP.
In fact, the company called Novell, had an extremely popular product called NetWare,
and it used a protocol called IPX.
Caused a lot of confusion, it's a very similar name to IP.
But it was different than IP.
Meaning, if we were a little business in the 90s, we're running the business.
Boom, we're running a protocol that's different than IP, and
if we wanted to get out onto the Internet, we had to translate the protocol.
So you effectively, you had a local area network,
you had a protocol translation box, and you had some other LAN or the Internet or
whatever you were connected to that might have been IP.
It was sort of like if you were driving a truck and
then you hit a barrier where now there's water.
[LAUGH] So if you want to continue, you've gotta go from a truck to a boat, and
you can see how that becomes slow.
Turned out there were no good standards for that and clearly not interoperable.
So if you had a hacker sitting back in some LAN who wants to attack something
over the Internet, it wasn't just a matter of running a scan and finding things,
you had all these protocol non-interoperability issues.
But in a sense would slow down hacking.
It would slow down computing, but it would slow down hacking.
Now, what have we seen since then?
Well, the whole world kind of decided,
why are we doing these non-interoperable things?
Why don't we run our networks, our campused area networks,
our enterprise networks, our government networks, our big public networks, run IP?
Let's run the same protocol that we're running across public infrastructure.
So what that did eventually is it got rid of that idea if you're driving a truck and
then you need a boat.
Suddenly, everything is just open highway.
And now you have a situation where a typical local
area network running TCP/IP hits a router, not a translation box.
That doesn't have much meaning anymore, now you're hitting a router.
You're running TCP/IP.
There router's happy to push things wherever it is that you're telling it to
push, or
wherever the router has been instructed to push based on the information you provide.
Think about what that means from a hacking perspective.
Suddenly, everything is in scope.
Suddenly you can, from wherever your vantage point is, you see everything.
You see Internet, seeing business, and so
on, and you'll see as we go through our discussion in this course,
that begs a protection mechanism that's essentially referred to as a firewall.
You'll see that there's a lot of different nuances on that.
But for the most part you can think of it as a firewall being put in place
where previously you had these protocol translation boxes, and
maybe you could do some security there.
Now you just have a router.
So we're going to have to learn to do something there.
Now there's a kind of a message here,
this idea that diversity might actually be a good thing for security.
It's not a good thing if you're a CIO, Chief Information Officer, for a company.
You want low cost.
You want everybody using the same tools.
You want interoperability.
You want non-diversity.
They want to train everybody on the same thing.
There's companies that do it like that.
Like if you're here in the US, there's an airline called the Southwest Airline, and
I'm pretty sure they run one type of aircraft, a Boeing 737 jet.
And I always posit in my mind, what would happen if that got grounded?
The whole company would be grounded.
That's a non-diverse business decision.
Now, it lowers their training cost,
everybody flies the same stuff, everything's standard, I get that.
But from a security perspective, you the security engineer are going to have
to think through as you're doing design.
Is it better to have everything the same or to have some things different?
That's going to be a decision you'll have to make as an engineer.
And to kind of test your understanding, as we often do,
have a little sample quiz here that will pop up on the screen.
So if you think about that, C is the obvious answer, right?
Advancing interoperability certainly does makes security more challenging.
I mean, it's a fact.
It's one of those cases where infrastructure decisions are somewhat
at odds with security decisions.
You'll see as you continue in your studies of computer security that that's not
always the case.
For example, as we advance virtualization and cloud, which most
Chief Information Security Officers and Chief Information Officers both like.
So people who want to propose better computing with cloud and
virtualization also are proposing things that are better for security,
so it's not always the case that things are at odds.
But with interoperability and security, we have to admit that when we make it easier
to do computing, we make it easier to do attacking.
So let's keep that in mind as we progress in our studies in cybersecurity.
I'll see you in the next video.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
