A single entry point has often been thought easier to defend than multiple entry points, as evidenced by medieval...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
castle design. There are some caveats to reducing the number of Internet gateways, though.
A single gateway represents a single point of failure, something that could bring a whole range of mission-critical business functions to a halt -- unless some sort of fail-over redundancy is in place. And with fewer gateways, the servers must take on larger loads, and they are likely to require higher specs that could be more costly. They must be configured efficiently so that they don't become bottlenecks.
Despite these caveats, reining in the natural proliferation of an organization's Internet gateways has no discernible security downside, versus a lot of upside. With fewer gateways, the logistics are simpler, like configuration, patching and so on. The protection effort can be focused on monitoring network activity and reacting to it. In the case of a major attack coming from the Internet, the ultimate defensive measure, disconnecting, is a lot easier to execute if there is only one connection (note that Horatio's task was to hold the bridge only until it could be torn down -- the replacement was made without nails so that any future disassembly could be more quickly executed).
Having fewer gateways also enables enterprises to use fewer resources to greater effect. For example, an organization may only need to use two firewalls on one gateway, versus a firewall on each of six gateways. A limited number of attack points allows for better monitoring to spot attacks and anomalies more accurately. New staff can be brought up to speed more quickly if there are fewer gateways to learn about.
Interestingly, the federal government has been pushing a reduction in gateways. The Office of Management and Budget's Trusted Internet Connections (TIC) initiative aims to reduce agencies' Internet connections from more than 1,000 to about 50 (about two gateways per department). Apparently, the Department of Defense has already reduced its number to 18.
The pressure to open more Internet gateways for different business processes is not likely to abate, but those in charge of security should try to push back -- citing the increased risks and costs of more entrances to the network. Until the overall standard of behavior on the Internet improves, there is just not enough trust out there to justify opening doors all over your network.
Dig Deeper on Network Firewalls, Routers and Switches
Related Q&A from Michael Cobb
Microsoft is banning weak passwords on many of its services with the Smart Password Lockout feature. Expert Michael Cobb explains how it works, and ...continue reading
A malicious app called Black Jack Free was able to bypass Google Play's app store security. Expert Michael Cobb explains the threat and how ...continue reading
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.