iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

Thought Leaders


Table of Contents


Bill Pfeifer, Juniper Networks

Stephen Northcutt - March 4th, 2011

Thought leader Bill Pfeifer Bill Pfeifer from Juniper’s security group has agreed to a thought leadership interview. We hope that you will enjoy his thoughts and impressions and we certainly thank him for his time.


Bill, do you have an abridged bio you can share to kick things off?


Absolutely! I currently work for Juniper Networks as a Product Line Engineer supporting security software and data center firewalls. I have been working in IT for 15 years, including stints at an Army tank base, a technology reseller, and some time at a financial services ASP. I hold a Bachelor’s degree in Civil Engineering from Penn State and an MBA with a human resources focus from Oakland University. Certifications come and go (my GSEC expired a few years ago), but I currently hold a JNCIS-Sec and a PMP.


Bill, please tell us some of the papers or presentations you have written that are available on the web:

Stephen, not much of what I’ve written thus far is available on the web – most of it is internal to Juniper and therefore sharing is restricted. I’m working on remedying that in the near term.


No worries, can you please list your top three “must read” papers that are available on the web that you did not write:

That’s a tough one, since they age out so fast… I’d like to come up with an impressive list of super-detailed technical papers to impress everyone, but I guess when you get right down to it most of what I read is oriented around keeping current about the context of where the world is and where it’s headed. My three favorites at the moment:
  • A video from the Web 2.0 summit on GenZ’s behavior in the market – this is very telling about some of the changes that will be coming in the next 10+ years as these folks become a key demographic, to say nothing of what will happen when they enter the job market: http://www.web2summit.com/web2010/public/schedule/detail/15879
  • A short article from 1998 where Vint Cerf warns that IPv4 addresses will be exhausted. It’s a much-needed reminder of how long it can take to effect change to an open system, particularly when that change requires coordination between autonomous entities: http://www.zdnet.co.uk/news/networking/1998/02/10/net-may-run-out-of-ip-space-tcpip-pioneer-2067617/
  • Next on my reading list (as soon as I’m done here) is the SCTP RFP – I’m seeing a rapidly escalating amount of discussion around it, and a multi-streamed, multi-homed, connection-oriented protocol sounds like something that’s going to be a major up-and-coming protocol to watch: http://www.ietf.org/rfc/rfc2960.txt


What an eclectic collection of information, thank you for sharing that Bill. I tried reading the SCTP RFC and it made my head hurt. The IPv4 address exhaustion link reminds me of the whole Social Security mess, everyone knows a train wreck is coming and yet politicians from both parties continue to give it lip service at best. Can you share a few words about how Juniper is making the transition from IPv4 to IPv6 less painful for your customers?


That’s a pretty big topic, so I’ll try to keep my answer to less than an hour (just kidding). The move to IPv6 has been an interesting one so far and won’t be ending any time soon. For many users, and maybe even most users, the move to v6 addressing will be a gradual process that happens over the next few years. Alain Durand of Juniper wrote an interesting blog on what he calls the ‘IPv4 long tail’; in it, he talks about the number of home devices that are v4-only as well as the small number of web sites that are currently v6-enabled. In short, v4 isn’t going away any time soon.

Now, having said that v4 isn’t going away, that certainly doesn’t mean that v6 isn’t coming toward us full-speed. New devices like 4G cell phones are already v6-enabled (and most of those already run their v6 traffic through Juniper routers and firewalls), and pretty much, any new equipment that you buy today should come with v6 activated. With the slow decline of v4 and the upcoming rapid rise of v6, the two address spaces have had to learn to coexist peacefully.

At the moment, seven of the top ten service providers in the world are either running or actively testing implementations of Juniper’s high-capacity address translation feature that enables v4 and v6 to talk to one another (that’s Carrier-Grade NAT, or CGNAT, if you want to look it up for more detail). We support a number of other options as well, so whatever your requirements are we can probably help you with either a migration to v6 or communication between v4 and v6. We’re also participating in World IPv6 Day coming up this June, which is basically just a global test run for IPv6-enabled systems (you can already access Juniper’s web site via IPv6 at http://ipv6.juniper.net if you want to play around with v6 before June).

If I dip into Juniper’s official messaging on the topic I’m sure I could fill a book with all the things that are going on to ease the migration from v4 to v6, but these are just my thoughts on the matter and what’s top-of-mind for me.


Thanks for sharing that, now I just have to ask, how did you become interested in the field of information security?

I thrive on change, and this is one of the fastest-changing environments available. My first degree is in Civil Engineering (not a very dynamic field); before graduation I had the opportunity to work as an intern for a tech company, and I enjoyed the pace of the work and the constant change. After graduation, I got a job working on a government contract; it was an aggressive environment. My first year we had over 100% turnover of our staff – VERY dynamic, and I never worked on the same thing twice. It’s not a good way to run a stable business, but for a young guy fresh out of college it was the best training ground imaginable. From there I went into consulting, followed by a gig in management, then I came to Juniper; each of the moves was made in search of a new challenge, and each one took me deeper into the infosec world. Once at Juniper, I moved around a few times internally before I landed in the Security group – it’s amazing to see all the different sides of security, and I’m glad I took a roundabout path to get where I am because it gives me a much broader and better-grounded view of events.


Bill, that is a great story, and I am sure I will have some follow up questions in just a bit, but for now, have you worked on security products before the products your team is working on today? If so, please list them and describe the highlights of some of these products.

Before I came to Juniper I worked on a whole range of products (except for Juniper, oddly enough). I was mostly focused on Cisco and Check Point. I did a few installs of Cisco’s Firewall Feature Set on the 2600-series router, and customers loved the pitch that it was as close to an ‘office in a box’ as they could buy at the time. Check Point is, of course, Check Point – they were THE firewall to have for quite a long time due to their excellent central management and intuitive interface.


I surely agree on Check Point, I was configuring those months before I had my official vendor training, it was an intuitive interface. Now that I know a bit more about rule bases, I am less certain the firewalls I configured did what I hoped they would do, but they were easy to configure. So, what product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?

Today I work for the Security Business Unit at Juniper; we build data center- and service provider-oriented security devices. The flagship product is the SRX5800. It’s a chassis-based system with modular network and services cards (IOCs and SPCs, respectively); the major technical differentiator is that it can dynamically load balance traffic across multiple services cards – need more processing power? Add more SPCs and the system will sort out how to use them.


Whoa, whoa, stop Bill! Can you take a minute to explain what IOCs and SPCs are, what they do, how they differ from one another please!

I mentioned earlier that the SRX is a modular system; the modules that are available for the 5000 series are Input/Output Cards (IOCs), and Service Processing Cards (SPCs). The modular structure of the chassis allows for easy on-demand expansion on an as-needed basis. We have customers that want lots of ports and only need a little bit of security – they can load up a chassis with IOCs and just a few SPCs; other customers want lots of processor-intensive services (IPS for example) with just a few ports – they buy lots of SPCs and just a few IOCs. More commonly, we have customers who need some firewall throughput today but plan to expand in the future, so they love the pay-as-you-grow model that the SRX brings to the table. It’s an approach that lets our customers customize the SRX to their needs and only pay for the hardware that they need, when they need it.


Thank you for that, please continue about the SRX5800.

From a management and marketing standpoint, the main differentiator is that the SRX runs Junos, Juniper’s core OS, which is the same operating system that runs on our switching and routing platforms. By learning Junos you can effectively run a network end-to-end, from your basic standalone closet switches through data center switches and routers and into advanced security features.


Thank you! Let’s move back into the general security space; given your very diverse background, will you please share what you think the security products in your space will look like in two years, what will they be able to do?

In two years I think the landscape will be largely the same (bigger and faster boxes, of course, but no significant structural changes to the industry). Cloud-based systems and services (IaaS, cloud storage, cloud apps, cloud security) will continue to rise but won’t have a major impact on most enterprise data center implementations yet. The VM-oriented security market will be rapidly maturing (the first-gen products have only just started to develop that market).


Would you be kind enough to expand on the statement “the first-gen products have only just started to develop that market”?

Well, so far the security industry hasn’t fully embraced the rising trend of server virtualization. With the explosive growth that we’ve seen in the past year and the expectation of continued growth in that space, we’re finally starting to see security products and designs that really take virtualization into account. The answer for how to secure virtual machine (VM) traffic has thus far been to put the traffic on the wire, run it through a hardware-based security appliance, and send it on its way. With Web 2.0, SaaS, and other modern technologies that increase the amount of server-to-server traffic, the hardware-based approach often meant taking traffic out of a VM, running it through a firewall, and sending it back to a different VM running on the same server – a very inefficient process; beyond that, we have dynamic creation, destruction, and movement of VMs – it’s very difficult with current security management products to enable your network-based and VM-unaware security systems to enforce security policies on ephemeral VMs.

There are a few first-generation VM-based firewalls available on the market today, and those few products have created a new market. They have no historical data to show customers about their industry. They have no established, standard use-cases for their technology, nor any standards by which to judge their products (will customers judge them against their competitors by throughput, or processor utilization, or maximum number of physical servers that can be supported by their management app?). They’re making it up as they go along. As they mature, they will be working hand-in-hand with their customers to define what their industry is and how to be a member of that industry.

Juniper recently bought Altor Networks (it’s just been added to our portfolio as our ‘Virtual Gateway’ or ‘vGW’). Altor is one of the first generation players in that market, so Juniper has become a part of the development of the virtual firewall marketplace, and it’s a pretty exciting place to be right now.


Ah, I understand. Can you tell us more about what the landscape will look like in the next few years?

Sure. If you look just under the surface, the groundwork is being laid today for a move to cloud-based designs across the board, from multi-node chassis clusters on up to single-layer networks with security built in; that change will start to be felt physically well inside of the next 5 years. By ‘cloud-based’ here (since everyone seems to have a different definition for ‘cloud’), I mean dynamically-scaled, high-capacity, on-demand services. Whether you talk about Google Apps or a next-gen chassis design, it’s all starting to look like it’s driven by the same design team under the covers.


What an interesting thought, one design team OEMing to all the brands. I will have to think about that. In the meantime, please share your impression of the defensive information community. Are we making progress against the bad guys? Are we losing ground?

I think that in general a defensive war, run independently by individual enterprises rather than a central agency, and with such a massive and mutable attack surface, will result in a stalemate. If the bad guys get too good at what they do, then more resources will be put into defense and more transactions will take place offline (or under such tight security restrictions that they may as well be offline). If the good guys get too good at what they do, fewer resources will be allocated to the defense of assets (diminishing returns, plus it becomes difficult to cost-justify the additional expenses without an active threat) and the bad guys will work harder to catch up.

We can see this trend repeating over and over in the industry. When there are high-profile virus and worm events, more enterprises express interest in the purchase and implementation of advanced firewalls and IPS; as time goes by with no such exposure, those sales become more difficult. That balance will continue to be evaluated every day by enterprises that need to ensure that their security is good enough without being too expensive or disruptive to day-to-day operations, and by bad guys who want to succeed (make a certain amount of money, achieve a level of infamy, etc. – ‘success’ is a very individualized metric) but don’t want to work harder than they need to.


That was a great answer, so the balance of power may not be a good thing exactly, but it is certainly “a thing”. Now I am going to ask you to grab your crystal ball and share your thoughts concerning the most dangerous threats information security professionals will be facing in the next year to eighteen months.
  • Cloud-based services are becoming easier and cheaper than ever, but they are outside the control of the security team (and mostly outside of their scope of awareness). For example, a user needs to share data with his team and so for $10/month he opens a Dropbox account. There is no official approval process, no security evaluation, no internal configuration audit to see what information is being shared with whom. Corporate data is simply moved into Dropbox, and can then easily be shared with anyone else who has a Dropbox account. Add to that the capability to access that data via laptop, pad, or smartphone and you have massive increased the attack surface and the risk of data leakage. Personally, I have no idea how to secure something like that without a full DLP implementation on every corporate PC/laptop/pad/phone. More likely (and probably just as expensive) would be a massive security-awareness campaign and a reinforcement of corporate security culture driven by the human resources department in coordination with the security team.
  • The market is headed toward a shift that will dramatically increase the complexity of security designs. Cloud-based services, VM-based security, increased regulation, updated network designs, web 3.0… it’s all coming together at an increasing rate. To keep up, security professionals will need to spend more time than ever educating themselves, but will have less time than ever to do so.

Yes, it reminds me of the Red Queen in Alice in Wonderland, Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!” But I cut you off, sorry, please finish.

If you leave an unpatched PC on the internet it will get infected, but by now everyone knows how to put basic protections in place and end-users are getting increasingly sophisticated about maintaining their own security. At this point, I think that in the medium term the operational threats are more dangerous than the technical ones.


Oh yeah, never underestimate a skilled operator, that is for sure. So, what is your biggest source of frustration as a member of the defensive information community?

Education and awareness. Across the board, from end users to enterprise security professionals and into the partner and manufacturing community, there is not enough awareness of what is going on in the security world. The security industry is continuing to grow and change, and as it does so it is fragmenting into more and more specialized niches – WLAN IPS, DLP, compliance auditing, log correlation, etc. Most security professionals are still trying to be generalists (as they have to be, since few IT shops can support a dedicated DLP manager) in a world that’s increasingly specialized. As a result, it’s easier for a good marketing team to build a sound-byte-based message and sell mediocre technology, or a bad design, or a product that addresses an immediate need but provides little long-term value. To make matters worse, the technical aspects of security are getting beyond what a non-security professional (senior management, end users, etc) can hope to comprehend. It’s difficult to watch people make marketing-based decisions about technical solutions.


Good answer, and I am sure most of our readers will give you a hearty amen! Speaking of that, we like to give our interview candidates a bully pulpit, a chance to share what is on their mind, what makes their heart burn, even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.

Throughout my career I have worked with enterprises of all sizes and in a number of different industries, and have seen one common theme running through them all: every one of them has a custom-designed network. In the eighties and early nineties, having a network was cutting edge. You could legitimately differentiate your business from your competitors by using technology in new and innovative ways. Fast forward to today and everybody has a network. Few of those networks provide any real business differentiation – high-frequency trading firms, some cloud-based service providers, and a few other exceptions notwithstanding. With a custom network comes the need for extensive integration testing, overly complex troubleshooting and upgrade planning, and increased security risks.

How do we start to simplify, standardize, and economize our network designs? I think that’s one of the main reasons everyone gets so excited about services that are based in the cloud. The evolution won’t be without its pains (I mentioned it as one of the greatest upcoming threats earlier), but it will also bring some very tangible benefits.

What’s coming in the next few years has my attention focused on the explosion of access devices (PCs, laptops, pads, smartphones) and the rise of cloud-based services. Google released their Chrome-based laptop test units – nothing stored locally, everything stored online. It’s a bit early for something that extreme, but while we’ll still hold on to the idea of keeping our best stuff close by for offline access for a few more years, I do expect that more and more of our data will be cloud-based.


Sure sounds like you have your head on straight, and in closing would you kindly tell us something about yourself, what do you do when you are not in front of a computer?

My daughter is 10 months old, so my wife and I spend most of our free time helping her find her way in the world and trying to keep the toddler-run destruction to a minimum. Outside of that, I spend too much time shuffling bits around at work so in my free time I like to make stuff. I have a pair of glass kilns that I use to make glass art. I recently started pouring concrete countertops, and my daughter thinks the polisher is fun to watch so I expect to do more concrete work in the spring. I think next on the list will be combining glass and concrete work with welded steel (as soon as I figure out how to cost-justify a welder).

Thanks for the time, Stephen, it was a pleasure talking to you today.