Sunday, June 24, 2007

Changing the Firewall Paradigm

This article in eWeek got me to thinking a little about the venerable Firewall, staple of modern internet security. The technology was originally developed in the early days of the internet, a time when collaboration and communication between organizations was vastly different.

Back then, you were as liable to use
BITNET as ftp or talk for file transfer or communications. At that time the internet was more open in its architecture. Systems within an organization were all accessible by the internet. The move to firewall technology sought to hide organizations’ computing assets behind a gateway.

But the talk of eroding network boundaries has been going for years now. We have telecommuters, road warriors, B2B connectivity, and Services Oriented Architecture essentially creating dozens of backdoors into an organization’s networks, not to mention internet facing applications with backend systems on internal networks. Enterprises benefit from more connectivity and collaboration. How do we do that without sacrificing security?

Firewalls aren’t going anywhere. It still makes sense filter incoming and outgoing internet traffic. But the shift towards endpoint security is bound to continue and I hope the result is that firewalls won’t always be perceived as the main mechanism for reducing risk. It’s not that simple anymore. It hasn’t been for years.

I’ve often wondered if firewalls, in some sense, create a false sense of security. Immature organizations make the mistake of ignoring host security and internal security threats because the firewall supposedly fixes everything.

A little thought experiment: if firewalls weren’t an available technology wouldn’t organizations have to enact better endpoint security? That could include implementing better host security for desktops and servers, or better application endpoint security such as agents to intercept and enforce security for web applications or web services, or improved development practices to reduce the vulnerabilities in deployed applications. Seems to me companies should already be doing these things.

It’s probably still safe to say a lot of attacks come from the big-I cloud and so, for now, the internet firewall is still a key feature of enterprise security architectures. But even if fewer attacks come from other sources such as telecommuter workstations or business partner networks or intranet users, the damage potential and thus the risk may be far greater than that due to generic internet based attacks. Could it be that in some cases it makes sense to focus as much or more than on so-called perimeter, aka firewall, security? I think so.

If you’re already doing good, careful, intelligent risk analysis as part of a holistic, enterprise-level process of information security risk management, you already know this and you apply your controls where they’re most needed. Otherwise you’re probably spending too much security money in the wrong place and not getting much risk reduction out of it.