News Stay informed about the latest enterprise technology news and product updates.

Firewall-free security doable, but not ideal

IT pros say organizations have put too much faith in firewalls at the expense of other needed security programs, but they're still a key part of a layered defense.

IT pros say it's certainly possible to achieve solid enterprise security without firewalls, as the San Diego Supercomputer Center (SDSC) has done.

But that doesn't mean they're about to rip the firewalls from their own environments.

Can a network be adequately protected without a firewall? Probably. But then, you could walk from New York to L.A. instead of flying, but why would you?
Jeffrey Wilson,
Their comments come in response to a story Monday about how the SDSC has suffered only one security breach in a period of almost six years, even though the organization doesn't use firewalls.

At the 2006 USENIX Annual Technical Conference in Boston, Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained that his organization has managed to minimize intrusions through host-based security measures that include a centralized configuration management system; regular and frequent patching; and strong authentication that includes a strict ban on plaintext passwords.

Singer said there's a "horrible truth" about firewalls: they have performance problems, are vulnerable to cascade failures and changing one rule on the network can open up a security hole someplace else. He also said firewalls can't protect organizations from malicious users that may be operating inside the perimeter and that many enterprises put too much faith in their firewalls at the expense of other needed defenses.

Readers generally agreed, including Scott Evans, a technical support professional for an Atlanta-based communication technology company who is also working toward a Bachelor's degree in information security. He said he once worked for a company that used a firewall appliance for VPN connections, authentication and routing. The appliance failed one day, and nobody on either side of the perimeter could access any corporate resources.

More on firewalls

Security without firewalls: Sensible or silly?

The pros and cons of proxy firewalls


Web application firewalls create breathing room

"This is an example of the company relying solely on the firewall for protection," he said in an email exchange. In his opinion, companies must also rely on a strong security policy that identifies protection requirements for the most important assets; centralizes management of hosts and authentication methods; and emphasizes end-user education.

Still, most readers said it's still better to have a firewall as part of a layered security program. Nearly 80% of those polled by said a firewall isn't a cure-all, but it's a key part of a multi-layered security program. Only 4% said everyone should use a firewall no matter what, and 16% said top-notch security is possible without one.

"I do think that many people become complacent having a firewall in place," Jeffrey Wilson, operations manager for the Albany, N.Y.-based Times Union newspaper, said in an email exchange. "They think that the firewall is the network security panacea, which of course it is not. It is only one tool of many that should be in place in any well-configured, Internet-facing network."

Wilson said he's a firm believer in the defense-in-depth philosophy, which includes firewalls, intrusion defense systems (IDS), patching, VLAN configuration, proxy servers, antivirus, strong policies and tools to enforce those policies. "Can a network be adequately protected without a firewall?" he asked. "Probably. But then, you could walk from New York to L.A. instead of flying, but why would you?"

Boston-based IT professional Jim Weiler said the no-firewall approach is probably most achievable in smaller environments with fewer than 100 machines, few configurations and few Internet access points. But, he said in an email exchange, firewalls are a "worthwhile addition to" a layered defense in larger environments, especially ecommerce sites. In fact, some companies must have a firewall for the sake of compliance.

"It's a PCI [Payment Card Industry data security standard] requirement, and would be considered due care and common practice, so from a liability reduction viewpoint it is also necessary," said Weiler, who also manages the Boston chapter of the Open Web Application Security Project (OWASP).

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.