IT pros say it's certainly possible to achieve solid enterprise security without firewalls, as the San Diego Supercomputer Center (SDSC) has done.
But that doesn't mean they're about to rip the firewalls from their own environments.
At the 2006 USENIX Annual Technical Conference in Boston, Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained that his organization has managed to minimize intrusions through host-based security measures that include a centralized configuration management system; regular and frequent patching; and strong authentication that includes a strict ban on plaintext passwords.
Singer said there's a "horrible truth" about firewalls: they have performance problems, are vulnerable to cascade failures and changing one rule on the network can open up a security hole someplace else. He also said firewalls can't protect organizations from malicious users that may be operating inside the perimeter and that many enterprises put too much faith in their firewalls at the expense of other needed defenses.
Readers generally agreed, including Scott Evans, a technical support professional for an Atlanta-based communication technology company who is also working toward a Bachelor's degree in information security. He said he once worked for a company that used a firewall appliance for VPN connections, authentication and routing. The appliance failed one day, and nobody on either side of the perimeter could access any corporate resources.
Still, most readers said it's still better to have a firewall as part of a layered security program. Nearly 80% of those polled by SearchSecurity.com said a firewall isn't a cure-all, but it's a key part of a multi-layered security program. Only 4% said everyone should use a firewall no matter what, and 16% said top-notch security is possible without one.
"I do think that many people become complacent having a firewall in place," Jeffrey Wilson, operations manager for the Albany, N.Y.-based Times Union newspaper, said in an email exchange. "They think that the firewall is the network security panacea, which of course it is not. It is only one tool of many that should be in place in any well-configured, Internet-facing network."
Wilson said he's a firm believer in the defense-in-depth philosophy, which includes firewalls, intrusion defense systems (IDS), patching, VLAN configuration, proxy servers, antivirus, strong policies and tools to enforce those policies. "Can a network be adequately protected without a firewall?" he asked. "Probably. But then, you could walk from New York to L.A. instead of flying, but why would you?"
Boston-based IT professional Jim Weiler said the no-firewall approach is probably most achievable in smaller environments with fewer than 100 machines, few configurations and few Internet access points. But, he said in an email exchange, firewalls are a "worthwhile addition to" a layered defense in larger environments, especially ecommerce sites. In fact, some companies must have a firewall for the sake of compliance.
"It's a PCI [Payment Card Industry data security standard] requirement, and would be considered due care and common practice, so from a liability reduction viewpoint it is also necessary," said Weiler, who also manages the Boston chapter of the Open Web Application Security Project (OWASP).