Who Needs Firewalls?

Reading a recent Techtarget email summary of security content from 2006 pointed me to an excellent paper “Security without firewalls: Sensible or silly?” about the San Diego Supercomputer Center’s “no firewall” approach. It’s a very interesting case study for any security architect. And their track record on security is pretty good, with just one major incident in six years. I also know one other high-profile, but relatively incident-free organisation that manages to cope without perimeter firewalls. So does this mean that firewalls are superfluous? Far from it. Because they’re an extremely useful countermeasure. And one that can – and should be – applied at different levels in an enterprise infrastructure.

The key to achieving the optimal security posture often lies in breaking away from traditional models. Before the age of firewalls, we used hand-crafted approaches to network security architecture. They generated many clunky solutions. But they also inspired many interesting and varied solutions that had to navigate the difficult journey from local connections to open enterprise networks. In the early nineties at Shell, for example, we developed an iterative methodology for enterprise architectures, based on combining the access requirements and controls at the business, application, computer and network levels. The trick was to work top-down and outside-in, progressively defining the policies and controls before translating it into technology.

Unfortunately such methodologies were overtaken by security products. Today we usually start with the corporate firewall and then add point solutions to compensate for deficiencies. Or we look for a federated identity management system that can solve all of our problems. But simple solutions can’t solve rich problems. That requires holistic methodologies. We can aim to harden our applications. But we can’t completely abandon our corporate firewalls given the intrinsically insecurity of many of our legacy systems. We don’t need fewer firewalls, just more imaginative and innovate security architectures.