This article can also be found in the Premium Editorial Download "Information Security magazine: Defense-in-Depth: Securing the network from the perimeter to the core."
Download it now to read this article plus other related content.
More from Joel Snyder
See Joel's Information Security June 2003 cover story: Designing a defense-in-depth network security model.
Why haven't enterprises already done defense-in-depth? We found six barriers to pushing firewall technology to the port level:
Cost. The cost of adding firewall "brains" to the inside of the network is substantial, especially compared to the continued cost reduction of standard networking switches and routers.
Performance. Firewalls have proven themselves on Internet-speed links, but most enterprises have significantly higher flow rates within the network than towards the Internet. Common tasks such as file sharing and backups would bring a firewall designed for Internet speeds to its knees on a 100 Mbps Ethernet link.
Management. Most firewall vendors have found it challenging to define management in terms of many-to-many relationships. Generally, the three-legged firewall (outside, inside, DMZ) is about as sophisticated as they get, and having multiple firewalls in a single configuration has been a difficult problem to solve elegantly. While some vendors now cleanly handle dozens of ports, extending this to thousands and managing access control dynamically across hundreds of network elements is a challenge.
Policy. Network managers find it easy to define security policy as it relates to the Internet, but find it much more difficult to describe what are permitted and denied flows within the organization itself. If you can't define policy, then you can't design a firewall to implement that policy.
Authentication. Users on the network have traditionally not authenticated themselves at layers 2 and 3; they connect to applications and authenticate at that level. However, for network-layer security, authentication of "who is out there" must be tightly bound to the user.
Binding. As packets flow through a network, it's difficult to assign security policies anywhere but at the extreme edge. The basic unit of access control is usually the user, but packets aren't bound to a particular user. Making a tight binding between a user-based policy and a packet that has an ephemeral IP address is a problem for which there's no standards-based solution.
Joel Snyder is a senior partner at Opus One, an IT consulting firm in Tucson, Ariz.
This was first published in June 2003