Installing Complacency

Crustacean security still gets in the way of real security

By: Scott Bradner

I've been writing columns about the folly of placing most of the corporate security effort into perimeter firewalls for more than a decade. (See "Installing Complacency" - http://www.sobco.com/nww/1996/bradner-1996-09-16.html, "But will they pay attention this time?" - http://www.sobco.com/nww/1997/bradner-1997-01-27.html, and "Crustacean security" -

http://www.sobco.com/nww/2002/bradner-2002-02-11.html)

I can't say that my opinion has always been warmly received. After one presentation at an industry forum I was accused of being an ivory tower academic who did not have the faintest idea of the realities of corporate networks. I certainly was not alone in my view of perimeter firewalls but most folks, from auditors to security textbook authors, strongly believed in some kind of perimeter firewall panacea. But, things may be starting to change.

Just to be clear, I do not think you should turn off all of your firewalls. I just think you should stop pretending that all of your fellow workers are perfect in their Internet habits and are thrilled with their pay and working environment. Exclusive reliance on a perimeter firewall gives you crustacean security - security with a hard outer shell which when (not if) penetrated offers up a tender and easy to pick inside. Surfing to the wrong web site, opening the wrong attachment or installing the wrong software can crack the shell as can disgruntled employees. Firewalls close to the resources, such as servers, can be an effective way to protect the resources (as long as the firewalls filter outbound as well as inbound traffic).

The Jericho Forum (http://www.opengroup.org/jericho/) "a loose affiliation of interested corporate CISOs" affiliated with the Open Group (http://www.opengroup.org) has been making news of late advocating going further than I have argued for in putting firewalls in their place. They also have a cute new term for it: de-perimeterization. The Jericho Forum developed a set of security "commandments" (http://www.opengroup.org/jericho/commandments_v1.1.pdf) that do a good job of covering what many people, including me, would consider an enlightened view of security in depth. The Forum recently held a conference within the ISC (InfoSecurity) East conference in New York. The presentations from that and previous Jericho Forum conferences can be found at http://www.opengroup.org/jericho/presentations.htm. The conference included a presentation by Bill Cheswick. A word to the wise, whenever you can find a copy of anything by Bill Cheswick read it! It will be well worth your time.

The Forum's basic point is not the one I've been focused on in the past but is a good one. They point out that a simple perimeter firewall approach is not a good match for today's business environment, which can require many interconnections with other organizations that result in tunnels through the firewalls thus can render the perimeter firewalls almost useless. See IETF RFC 3093 "Firewall Enhancement Protocol" (http://www.ietf.org/rfc/rfc3093.txt) for one way to do this. (Please be sure to notice the publication date.)

I like the path that the Jericho Forum is exploring. I do not expect that most corporations will fully embrace it anytime soon. (See Cheswick's discussion of Microsoft OSs for one very good reason.) But just about all corporations would benefit from a serious review of what they call security in light of the work of the Jericho Forum.

disclaimer: Harvard, like most big research universities, does not have a clear perimeter so had not fallen for the perimeter is all you need myth. That said, the university has not expressed any opinion on the richness of the Jericho Forum path so the above is my own shot.