This story appeared on Network World at

http://www.networkworld.com/columnists/2007/bradner92407.html

Crustacean security still gets in real security’s way

'Net Insider

By Scott Bradner, Network World, 09/24/07

Sponsored by:

I've been writing columns about the folly of placing most of the corporate security effort into perimeter firewalls for more than a decade. (See "Installing Complacency," "But will they pay attention this time?" and "Crustacean security."

I can't say that my opinion has always been warmly received. After one presentation at an industry forum, I was accused of being an ivory-tower academic who did not have the faintest idea of the realities of corporate networks. I certainly was not alone in my view of perimeter firewalls, but most folks -- from auditors to security textbook authors -- strongly believed in some kind of perimeter-firewall panacea. But things may be starting to change.

Just to be clear, I do not think you should turn off all of your firewalls. I just think you should stop pretending that all of your fellow workers are perfect in their Internet habits and are thrilled with their pay and working environment. Exclusive reliance on a perimeter firewall gives you crustacean security -- security with a hard outer shell, which when (not if) penetrated offers up a tender and easy-to-pick inside.

Surfing to the wrong Web site, opening the wrong attachment or installing the wrong software can crack the shell, as can disgruntled employees. Firewalls close to the resources, such as servers, can be an effective way to protect the resources (as long as the firewalls filter outbound as well as inbound traffic).

The Jericho Forum "a loose affiliation of interested corporate CISOs" affiliated with the Open Group has been making news of late advocating going further than I have argued for in putting firewalls in their place. They also have a cute new term for it: deperimeterization. The Jericho Forum developed a set of security "commandments" that do a good job of covering what many people, including me, would consider an enlightened view of security in depth.

The forum recently held an event within the InfoSecurity East conference in New York that included a presentation by Bill Cheswick (more presentations here). A word to the wise, whenever you can find a copy of anything by Cheswick read it! It will be well worth your time.

The forum's basic point is not the one I've been focused on in the past but is a good one. They point out that a simple perimeter firewall approach is not a good match for today's business environment, which can require many interconnections with other organizations that result in tunnels through the firewalls that can render the perimeter ones almost useless. See IETF RFC 3093 "Firewall Enhancement Protocol" for one way to do this (please be sure to notice the publication date, April 1, 2001).

I like the path that the Jericho Forum is exploring. I do not expect most corporations will fully embrace it anytime soon (see Cheswick's discussion of Microsoft operating systems for one very good reason.). But just about all corporations would benefit from a serious review of what they call security in light of the Jericho Forum’s work.

Disclaimer: Harvard, like most big research universities, does not have a clear perimeter so had not fallen for the perimeter-is –all-you-need myth. That said, the university has not expressed any opinion on the richness of the Jericho Forum path, so the above is my own shot.