A single entry point has often been thought easier to defend than multiple entry points, as evidenced by medieval...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
castle design. There are some caveats to reducing the number of Internet gateways, though.
A single gateway represents a single point of failure, something that could bring a whole range of mission-critical business functions to a halt -- unless some sort of fail-over redundancy is in place. And with fewer gateways, the servers must take on larger loads, and they are likely to require higher specs that could be more costly. They must be configured efficiently so that they don't become bottlenecks.
Despite these caveats, reining in the natural proliferation of an organization's Internet gateways has no discernible security downside, versus a lot of upside. With fewer gateways, the logistics are simpler, like configuration, patching and so on. The protection effort can be focused on monitoring network activity and reacting to it. In the case of a major attack coming from the Internet, the ultimate defensive measure, disconnecting, is a lot easier to execute if there is only one connection (note that Horatio's task was to hold the bridge only until it could be torn down -- the replacement was made without nails so that any future disassembly could be more quickly executed).
Having fewer gateways also enables enterprises to use fewer resources to greater effect. For example, an organization may only need to use two firewalls on one gateway, versus a firewall on each of six gateways. A limited number of attack points allows for better monitoring to spot attacks and anomalies more accurately. New staff can be brought up to speed more quickly if there are fewer gateways to learn about.
Interestingly, the federal government has been pushing a reduction in gateways. The Office of Management and Budget's Trusted Internet Connections (TIC) initiative aims to reduce agencies' Internet connections from more than 1,000 to about 50 (about two gateways per department). Apparently, the Department of Defense has already reduced its number to 18.
The pressure to open more Internet gateways for different business processes is not likely to abate, but those in charge of security should try to push back -- citing the increased risks and costs of more entrances to the network. Until the overall standard of behavior on the Internet improves, there is just not enough trust out there to justify opening doors all over your network.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.