Published: 01 Mar 2005
This is probably the most open secret in infosecurity that you don't want your CEO to discover: Ahem...those large, expensive border firewalls with those overpriced managed service contracts really aren't doing much to secure your enterprise. In fact, they are doing little more than inhibiting your business.
Gasp? Don't be so quick to dismiss this notion. Let's examine the facts.
As a security manager, you insist that your business units make connections through the perimeter firewall or a dedicated proxy on the DMZ. You delay projects until you can craft and test firewall rules, making sure they don't conflict with the 200 other rules already in place. And, you de-grade throughput and performance for marginal security gains.
Where does all of this get you? Despite perimeter firewalls, enterprises worldwide are struck by worm after worm--Slammer, Blaster, Sasser, MyDoom, etc. Viruses come in via SMTP and POP3 e-mail; spyware, adware, cookies, Trojans and bots self-download over port 80; and P2P and instant messaging apps tunnel through most barriers.
So, let's just get rid of that border firewall and all will be well--right?
Well, let's not be hasty. Firewalls are at least acting as reasonable QoS boundaries, keeping out script-kiddies, DoS attacks and Internet static. Just don't kid yourself into thinking they are doing much more. As we move toward encryption--with HTTPS on Web sites, SSL VPNs, SMTP/TLS and IPSec--our borders become less effective. The issue is known as de-perimeterization.
We've heard it all before: The enterprise perimeter is dissolving under the tidal wave of Web services, mobile computing and Web-based applications. De-perimeterization is due to more than just porous border firewalls; it's about the obsolescence of the hard perimeter concept in the face of rapidly evolving business needs.
But could your business operate directly on the Internet without the crunchy perimeter shell? I do it every day; my corporate laptop, with Lotus Notes and 8 GB of replicated corporate databases, regularly connects to hotel Ethernets and public wireless access points. My security controls include a personal firewall, AV, an IPSec VPN, a token and hard disk encryption. If it works for me and the other 5,000 laptop-carrying executives in my organization, why shouldn't it work for everyone?
Take this thinking to the next logical step, with servers that only allow secure, encrypted and authenticated connections, and laptops that are only able to connect in the same manner, and operating both directly on the open Internet without firewalls becomes feasible. Throw in federated identities and an inherently secure computing environment, and science fiction becomes science fact.
Can you do this today? Some of it, but not enough for enterprises to actually throw away border firewalls. But remember, what you will be purchasing in three years is in R&D labs now. If we don't articulate today we want for tomorrow's secure computing, we'll be forced to consume more of the same, with no one to blame but ourselves.