Firewall-free security doable, but not ideal

By Bill Brenner, Senior News Writer 12 Jun 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

IT pros say it's certainly possible to achieve solid enterprise security without firewalls, as the San Diego Supercomputer Center (SDSC) has done.

But that doesn't mean they're about to rip the firewalls from their own environments.

Can a network be adequately protected without a firewall? Probably. But then, you could walk from New York to L.A. instead of flying, but why would you? Jeffrey Wilson

Their comments come in response to a SearchSecurity.com story Monday about how the SDSC has suffered only one security breach in a period of almost six years, even though the organization doesn't use firewalls.

At the 2006 USENIX Annual Technical Conference in Boston, Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained that his organization has managed to minimize intrusions through host-based security measures that include a centralized configuration management system; regular and frequent patching; and strong authentication that includes a strict ban on plaintext passwords.

Singer said there's a "horrible truth" about firewalls: they have performance problems, are vulnerable to cascade failures and changing one rule on the network can open up a security hole someplace else. He also said firewalls can't protect organizations from malicious users that may be operating inside the perimeter and that many enterprises put too much faith in their firewalls at the expense of other needed defenses.

Readers generally agreed, including Scott Evans, a technical support professional for an Atlanta-based communication technology company who is also working toward a Bachelor's degree in information security. He said he once worked for a company that used a firewall appliance for VPN connections, authentication and routing. The appliance failed one day, and nobody on either side of the perimeter could access any corporate resources.

More on firewalls Security without firewalls: Sensible or silly? The pros and cons of proxy firewalls   Web application firewalls create breathing room

"This is an example of the company relying solely on the firewall for protection," he said in an email exchange. In his opinion, companies must also rely on a strong security policy that identifies protection requirements for the most important assets; centralizes management of hosts and authentication methods; and emphasizes end-user education.

Still, most readers said it's still better to have a firewall as part of a layered security program. Nearly 80% of those polled by SearchSecurity.com said a firewall isn't a cure-all, but it's a key part of a multi-layered security program. Only 4% said everyone should use a firewall no matter what, and 16% said top-notch security is possible without one.

"I do think that many people become complacent having a firewall in place," Jeffrey Wilson, operations manager for the Albany, N.Y.-based Times Union newspaper, said in an email exchange. "They think that the firewall is the network security panacea, which of course it is not. It is only one tool of many that should be in place in any well-configured, Internet-facing network."

Wilson said he's a firm believer in the defense-in-depth philosophy, which includes firewalls, intrusion defense systems (IDS), patching, VLAN configuration, proxy servers, antivirus, strong policies and tools to enforce those policies. "Can a network be adequately protected without a firewall?" he asked. "Probably. But then, you could walk from New York to L.A. instead of flying, but why would you?"

Boston-based IT professional Jim Weiler said the no-firewall approach is probably most achievable in smaller environments with fewer than 100 machines, few configurations and few Internet access points. But, he said in an email exchange, firewalls are a "worthwhile addition to" a layered defense in larger environments, especially ecommerce sites. In fact, some companies must have a firewall for the sake of compliance.

"It's a PCI [Payment Card Industry data security standard] requirement, and would be considered due care and common practice, so from a liability reduction viewpoint it is also necessary," said Weiler, who also manages the Boston chapter of the Open Web Application Security Project (OWASP).

Tags: Network Firewalls, Routers and Switches,  Client security,  Secure Remote Access,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Firewalls, Routers and Switches How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls? Client security InZero Systems launches hardware-based security gateway DLP technology challenges security costs Endpoint protection best practices manual: Combating issues, problems Kaspersky update for SMBs in wake of free Microsoft Security Essentials Microsoft makes free antivirus software widely available Security best practices in hotels Best Antimalware Products Perimeter defense in the era of the perimeterless network Microsoft Security Essentials (MSE) shows no vision, expert says Smart tactics for antivirus and antispyware Secure Remote Access Endpoint protection best practices manual: Combating issues, problems Best Mobile Data Security Products Perimeter defense in the era of the perimeterless network Securing the intranet with remote access VPN security What security software should be installed on Internet café computers? Information security book excerpts and reviews Diverse mobile devices changing security paradigm Cisco warns of security appliance flaws How to configure NAP for Windows Server 2008 Can home PCs provide a way for viruses and spyware to enter a corporate LAN?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary