Are firewalls expendable?
Jericho Forum looks to redefine security schemes
By Ellen Messmer, Network World | Network World US | Published: 09:00, 14 July 2005
For more than a decade, firewalls have stood guard at the perimeter of corporate networks to defend against the Internet's perils. But a growing number of security managers, united under the banner of the Jericho Forum, want to retire this stalwart because they say it hinders e-commerce.
Countering the forum's argument, however, is an equally emphatic collection of analysts, corporate security managers and, not surprisingly, firewall vendors.
"The perimeter going away? That's baloney," said John Pescatore, a Gartner analyst alluding to the concept during his presentation at the research firm's recent IT Security Summit on the future of network security. "We think the security perimeter that people put around their servers is even more critical today. The perimeter cannot go away and does not get less important in the future."
There's an underlying need that "the network must reward good traffic and neutralise suspicious or unknown traffic," Pescatore said. And that means "controlling the perimeter is ever more important."
The Jericho Forum - the group's name refers to the Biblical walls that miraculously came tumbling down at the sound of trumpets - is on a mission to define a new security architecture. The forum calls knocking down the old firewall, as well as border proxies, a "de-perimeterization" process that can be achieved within a matter of years. The mission of its seven dozen members, which include Barclays Bank, Boeing and Eli Lilly, is to make the IT industry aware that it needs a new style of access control and data integrity product that pushes control deep inside intranets.
The Jericho Forum's quest to remove the traditional perimeter firewall and still maintain security strikes some as an impossible mission.
"There really isn't an alternative at the moment and I doubt there will be," says Nigel Fletcher, mobile segment manager at BG Group, a 6,000-employee oil and gas company in the UK that has offices and exploration outposts around the world. "A massive leap of faith would be required for this to happen."
Check Point Software, the firewall market leader, scoffs at the idea of ditching the firewall.
"First of all, we use the term 'perimeter security gateway,' " says Andy Singer, Check Point's director of market intelligence. "A firewall is a feature for opening and closing ports. There are all these things you can add to the gateway, such as VPNs, or intrusion prevention."
Singer applauds the forum's effort to "get people from all over the world talking about how security might be in 10 to 20 years - that doesn't typically happen." But he says their ideas don't make sense.
The perimeter as a security concept "will not go away," Singer says. He notes that firewalling has grown beyond network-level products to include application-layer protection that can inspect HTTP-based traffic through Port 80.
Although the forum says the growth of VoIP traffic complicates the situation for firewall use even further, Singer dismisses such concerns as unwarranted. He urges the forum to take a closer look and give perimeter gateways a chance.
Some security managers acknowledge they simply can't envisage life without the perimeter firewall.
"We see this as a baseline," says Geoff Aranoff, chief information security officer at semiconductor manufacturer Broadcom, adding that he didn't see an alternative to having a firewall at the Internet's edge. Although enabling business partners to gain internal access to Broadcom's network through firewalls requires a lot of extra work, it isn't an impossible obstacle to overcome, he says.
But the difficulty in enabling collaborative e-commerce through firewalls, plus a growing lack of trust in firewall strength, help explain why the forum wants to see at least one or two walls come down.
"The firewall is good at keeping out script kiddies and denial-of-service attacks, but otherwise it's really not a good security boundary with the web and e-mail coming in," says Paul Simmonds, global information security director at chemicals and paints manufacturer ICI, which is a Jericho Forum member.
At the same time, the firewall gateway is a hindrance for direct and cost-effective server-to-server e-commerce, he says.
Nevertheless, any attempt at giving up the firewall-based DMZ would be "corporate suicide," Simmonds says. He suggests that a sudden "big bang" of firewalls coming to an end is not likely to occur, though some forum members, including BP-Amoco, have managed to displace a few firewalls in their global operations.
One step the Jericho Forum is taking to move things forward is running a contest in which participants are asked to submit detailed security architecture for database authentication and web-portal access over the Internet based on the idea of de-perimeterization.
The single document describing the de-perimeterisation concept was published in February titled Visioning White Paper. It can be found on the website of the Open Group, a consortium that promotes open standards and hosts the forum.
About two dozen submissions received for a proposed de-perimeterization architecture have been received, Simmonds says. Winners are scheduled to be announced at the Black Hat Conference in Las Vegas this month.
The contest, with a $1,000 prize, is being underwritten by vulnerability-assessment services provider Qualys, one of the few vendors belonging to the forum.
The forum, which wants to remain an end-user advocacy organisation, last February opened its doors to vendors, as well. The first large vendor to sign on has been IBM, Simmonds says. Vendors, however, can't vote on workgroup output or sit on the management board.
Qualys CTO and Vice President of Engineering Gerhard Eschelbeck says the forum's ideas need to be heard because the perimeter is, in fact, already gone.
"The perimeter protection model has already disappeared, with nearly any protocol being tunneled via a single open port," Eschelbeck says. "Firewalls today act mostly as static enforcement points at the perimeter. The industry needs to move security enforcement into the core of the network, and develop a single architecture where systems are dynamically admitted to the network at individual enforcement points."
He adds: "This includes the ability to dynamically control network access based on application, credentials of the user, security exposure and health of the individual endpoint systems."
Easier said than done, perhaps.
"Ultimately, we are a bunch of corporates who are consumers of vendor solutions," Simmonds says. "This may be five years down the line, but we need these products."