Sean Convery

Edge.org has an essay by George Dyson loosely concerning his recent visit to Google. Though the entire essay is worth a read, I was particularly drawn to a few comments on distributed systems which are in line with some of my concerns around the scalability of the central server security architecture:

In a digital computer, the instructions are in the form of COMMAND (ADDRESS) where the address is an exact (either absolute or relative) memory location, a process that translates informally into “DO THIS with what you find HERE and go THERE with the result.” Everything depends not only on precise instructions, but on HERE, THERE, and WHEN being exactly defined. It is almost incomprehensible that programs amounting to millions of lines of code, written by teams of hundreds of people, are able to go out into the computational universe and function as well as they do given that one bit in the wrong place (or the wrong time) can bring the process to a halt.

Biology has taken a completely different approach. There is no von Neumann address matrix, just a molecular soup, and the instructions say simply “DO THIS with the next copy of THAT which comes along.” The results are far more robust. There is no unforgiving central address authority, and no unforgiving central clock. This ability to take general, organized advantage of local, haphazard processes is exactly the ability that (so far) has distinguished information processing in living organisms from information processing by digital computers.

Network security used to be focused on special purpose devices scattered around the network (firewalls, IDS, etc.). Similarly, network identity worked only on a small percentage of connections (dial-up and VPN). I’m not sure this model will hold in the long run, primarily because almost every device in a modern enterprise network has a security component (routers, switches, APs). Furthermore, with the advance of 802.1x and other network authentication protocols, unauthenticated network connectivity will diminish. So when every device is doing security, and every network connection is authenticated, can we really rely on the HAL-9000 approach to policy management and enforcement? I need to put together more thoughts on this but models like IP routing tables and DNS hierarchies start seeming like far more sound ways to organize security policy and enforcement.

The folks over at Mobile Pipeline have a review of three companies offering outsourced AAA services for WLAN. They seem to be targeting the SMB market. Everything is handled remotely with no on-site AAA. It will be very interesting to track how these offerings are picked up in the market. The unstated consideration of these designs is that if your Internet connection goes down, so goes your WLAN. This may be fine in organizations that use WLAN as a secondary access medium, but I’d imagine plenty of small companies choosing to go wireless for everything rather than bother with cabling. The questions organizations need to ask is: “Are there local services we need access to via WLAN even in the event that the Internet goes down?” I suppose a local emergency user could be configured on the AP to counter this, I wonder if many are doing so?

So yes, I’ve got a cheesy default template, and yes it looks nothing like my main site. But then my main site hardly inspires a desire for artistic consistency. So thus it will stay until the style sheet fairies bless me with both a desire and the knowledge to screw around with it.