Who Needs Firewalls?

Reading a recent Techtarget email summary of security content from 2006 pointed me to an excellent paper “Security without firewalls: Sensible or silly?” about the San Diego Supercomputer Center’s “no firewall” approach. It’s a very interesting case study for any security architect. And their track record on security is pretty good, with just one major incident in six years. I also know one other high-profile, but relatively incident-free organisation that manages to cope without perimeter firewalls. So does this mean that firewalls are superfluous? Far from it. Because they’re an extremely useful countermeasure. And one that can – and should be – applied at different levels in an enterprise infrastructure.

The key to achieving the optimal security posture often lies in breaking away from traditional models. Before the age of firewalls, we used hand-crafted approaches to network security architecture. They generated many clunky solutions. But they also inspired many interesting and varied solutions that had to navigate the difficult journey from local connections to open enterprise networks. In the early nineties at Shell, for example, we developed an iterative methodology for enterprise architectures, based on combining the access requirements and controls at the business, application, computer and network levels. The trick was to work top-down and outside-in, progressively defining the policies and controls before translating it into technology.

Unfortunately such methodologies were overtaken by security products. Today we usually start with the corporate firewall and then add point solutions to compensate for deficiencies. Or we look for a federated identity management system that can solve all of our problems. But simple solutions can’t solve rich problems. That requires holistic methodologies. We can aim to harden our applications. But we can’t completely abandon our corporate firewalls given the intrinsically insecurity of many of our legacy systems. We don’t need fewer firewalls, just more imaginative and innovate security architectures.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

David - I have a few comments on the blog entries which I have found quite interesting to date. The debate on firewalls will continue to rage for a long time yet. The move towards customer demand for "clean pipes" (where the network providers eradicate malfeasant software and clean the network traffic for you) will continue to put pressure on network providers and technologists to provide smarter, cleaner solutions for customers. However, there is a long way to go. The need for a body such as the IISP has been apparent for some time. It has taken rather longer than i would have hoped to get momentum, but recent initiatives announced by the IISP seem quite reasonable and appropriate. There have been a number of presentations in the UK from members, which sadly I wasn't able to attend, but I understand they were well attended and received. Regarding the threats in 2007, I think we should also include Infosec Fatigue, whereby the industry loses some credibility due to non-events - we are just too good at what we do and budgets will be squeezed and protection will be compromised by the accountants.