By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
A single entry point has often been thought easier to defend than multiple entry points, as evidenced by medieval castle design. There are some caveats to reducing the number of Internet gateways, though.
A single gateway represents a single point of failure, something that could bring a whole range of mission-critical business functions to a halt -- unless some sort of fail-over redundancy is in place. And with fewer gateways, the servers must take on larger loads, and they are likely to require higher specs that could be more costly. They must be configured efficiently so that they don't become bottlenecks.
Despite these caveats, reining in the natural proliferation of an organization's Internet gateways has no discernible security downside, versus a lot of upside. With fewer gateways, the logistics are simpler, like configuration, patching and so on. The protection effort can be focused on monitoring network activity and reacting to it. In the case of a major attack coming from the Internet, the ultimate defensive measure, disconnecting, is a lot easier to execute if there is only one connection (note that Horatio's task was to hold the bridge only until it could be torn down -- the replacement was made without nails so that any future disassembly could be more quickly executed).
Having fewer gateways also enables enterprises to use fewer resources to greater effect. For example, an organization may only need to use two firewalls on one gateway, versus a firewall on each of six gateways. A limited number of attack points allows for better monitoring to spot attacks and anomalies more accurately. New staff can be brought up to speed more quickly if there are fewer gateways to learn about.
Interestingly, the federal government has been pushing a reduction in gateways. The Office of Management and Budget's Trusted Internet Connections (TIC) initiative aims to reduce agencies' Internet connections from more than 1,000 to about 50 (about two gateways per department). Apparently, the Department of Defense has already reduced its number to 18.
The pressure to open more Internet gateways for different business processes is not likely to abate, but those in charge of security should try to push back -- citing the increased risks and costs of more entrances to the network. Until the overall standard of behavior on the Internet improves, there is just not enough trust out there to justify opening doors all over your network.
Dig Deeper on Network Firewalls, Routers and Switches
Related Q&A from Michael Cobb
An old Java vulnerability was discovered to have been ineffectually patched. Expert Michael Cobb explains how this happened and what can be done to ...continue reading
Google's Certificate Transparency tool publicly logs certificates issued by CAs. Expert Michael Cobb explains how the log viewer works to improve ...continue reading
Crowning the most secure web browser is difficult, with research often turning up biased results. Expert Michael Cobb explains how to make a choice ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.