Enterprise firewalls too complicated

Today's networks are made up of an outer shell of firewall appliances, which act as a security barrier protecting the inner...

Today's networks are made up of an outer shell of firewall appliances, which act as a security barrier protecting the inner network but offering limited flexibility.

Behind the firewall sit intrusion detection systems that should capture any security breaches within the network.

The outer security shell has to cope with users and applications that need access to the corporate network. This means firewalls are configured with complex rules and security exceptions to allow valid external network traffic through to the corporate network.

The Jericho Forum believes such a model for network security is increasingly unmanageable. The configuration of firewalls is becoming so complex that users are finding it impossible to secure the network. Furthermore, intrusion detection systems have to analyse all incoming traffic to identify anomalies.

The Jericho Forum is calling for a simpler approach. In its draft manifesto, networks would not be protected using enterprise firewalls, apart from for the most valuable data. Instead, application firewalls would protect application servers and intrusion detection systems would monitor whether the application's transactions were anomalous.

Paul Simmonds, global information security director at ICI, said, "As this is not a very complex firewall configuration, it is easy to define and prevent hacking."

Some of the technology already exists. Application firewalls can protect application servers, but Simmonds said they were not yet sophisticated enough. "Network filtering is too general and needs to be far more granular," he said.

Although users are able to buy intrusion detection systems that can check if the application is being targeted by a hacker, Simmonds said, "What is needed is intrusion detection that is tailored to the specific implementation of your application."

ICI is implementing PeopleSoft applications that will be accessed via a secure web link. Simmonds said the firewall will be configured to prevent all network traffic apart from HTTPS (secure web). He wants suppliers to develop intrusion detection systems that operate within the specific implementation of an application, such as at ICI.

Standards are needed >>

Read more on IT operations management and IT support