Company firewalls may be replaced with local security to protect key networks

The Royal Mail has led several FTSE 100 companies in calling for a new security standard so that firms can trade with their...

The Royal Mail has led several FTSE 100 companies in calling for a new security standard so that firms can trade with their suppliers without fear of hacker attacks.

When the police put a "ring of steel" around Tony Blair and US president George W Bush last week they were doing what IT security experts have been practising for years.

Putting a perimeter defence around an IT system is textbook practice, but some experts want to break with tradition by doing away with the perimeter and creating a series of smaller security "islands".

The process has been seen by customers, consultancies and suppliers as a means of coping with more fluid networks as wireless devices become commonplace and supply chain inte-gration becomes a reality. The result could be a network that is more outside the firewall than inside, reaching right to the application server's network jack.

Hacker attacks are becoming increasingly varied, making them difficult to defeat by blocking network ports. Instead of applying a single bubble of security around your organisation's IT infrastructure using edge-based firewalls, it is possible to focus on just the critical parts of a datacentre, or the "crown jewels", said Ollie Whitehouse, managing security architect at security consultancy @Stake.

"Every business unit identifies what these data components are and then provides mechanisms such as additional firewalls, host-based intrusion detection systems and anti-virus tools," Whitehouse said. Think of the original security bubble shrinking until it becomes a film coating individual IT resources within your business.

Consultants such as Whitehouse believe that compartmentalising security and applying it to individual resources and business units makes it harder for hackers to gain widespread access to an organisation's system by exploiting single loopholes.

However, industry veterans have scoffed at this idea, which has been promoted by executives at virtual private network suppliers such as Aventail.

Ovum analyst Graham Titterington argued that applying security close to your key resources has also been recommended as best practice by security experts for years, but that few companies do it consistently.

Some firms are, however, moving in that direction. The approach taken at BP is known as "radical externalisation". Paul Dorey, director of digital security at BP, said, "Radical externalisation places the clients onto the internet, they have their own firewalls and security measures and use automated patching technologies.

"Systemic risk within the corporate network is reduced and, by not devoting so much time to network protection, more effort can be focused on strengthening security around applications and servers," he said.

David Lacey, director of security and risk management at the Royal Mail Group, was convinced there are new drivers and new technologies supporting "deperimeterisation".

Lacey, who claimed to have coined the term and is a keen advocate of the technique in his own company, spoke at an RSA conference earlier this month in a bid to persuade other organisations to move towards the model.

Business-to-business integration using web services and other communication techniques is a key driver for organisations to move security away from the perimeter, he said. The more people you want to work with, the less a single ring of security makes sense.

"We are talking about an extended enterprise model which would work with our partners as well as ourselves," he said. "We go out to partners and customers and we have to wrap security around those communications and transactions."

Lacey described how individual systems would be protected to make it easier for different parts of a company to open up to business partners. He likened a business where security has been moved from the perimeter to a bank cash machine; the machine is "soft" on the outside and is made of easily breakable plastic; it provides a functional interface for customers. But underneath the external interface, it has been hardened to protect the money it holds. This means that any authorised person can interact with it in predefined ways, but few people, if any, can penetrate it.

Supply chain-led moves to break up the security cordon will be built on several technologies, Lacey said, such as virtual private networks. Digital certificates would be critical for identification, along with federated identity systems supporting specifications from groups such as the Liberty Alliance.

Lacey argued that the edge-based firewall will probably disappear. Whitehouse disagreed. "There is still a requirement for edge-level authentication," he said. "You still have virtual private networks, but you are not solely reliant on them."

One critical technology that Lacey did not mention is the application-level firewall, said Titterington. This is an outer shell tailored for a single application that scans network traffic at content level, looking for items such as malicious user data. Security supplier Internet Security Systems is moving towards this model with its gateway systems.

Johann Beckers, European regional director of technology solutions at ISS, believed that today's firewalls will become irrelevant because port-based monitoring cannot catch all threats. Instead, new devices will scan data at a content level.

ISS has launched its Proventia series of gateway appliances, which complement traditional firewall functions with intrusion detection systems and content scanning. Over time, it will move from a gateway-based model to desktop and server-focused protection, echoing Lacey's deperimeterisation model.

What Lacey described is the move to a service-oriented architecture where services formed from applications speak to each other using common protocols, treating one another as "black boxes".

Services do not need to know how other services work, as long as they deliver data via a predefined interface. Microsoft heavily emphasised this approach as it moves to the next generation of the Windows systems with Longhorn. Its chief technical officer, Craig Mundie, said the idea of boundaries and trust relationships will be central to this model.

The problem, according to Gartner analyst John Pescatore, is that some of the technologies underpinning this new model have failed at business level. Identity management is vital to business integration, he said, but digital certificates have fallen flat because certification authorities either have not been trusted (as when VeriSign inadvertently gave someone a Microsoft certificate in January 2001) or are not universally accepted. Federated identity has failed to materialise because plans are too ambitious.

Vast networks of companies spanning different business sectors managing relationships with one another to authenticate one another's customers are not viable, Pescatore said.

Lacey calls for common business security standards that will help companies to manage security policies themselves. He proposed an industry-independent standard which would enable companies to classify end-users from a security perspective.

Pescatore argued that such classifications would only work in small groups of businesses with a common interest, and that the same goes for federated identity systems. But although he eschewed a one-size-fits-all app-roach to security in favour of tailored, localised tools, his world view and Lacey's are not a million miles apart.

Read more on IT risk management