I've been writing columns about the folly of placing most of the corporate security effort into perimeter firewalls for more than a decade. (See "Installing Complacency," "But will they pay attention this time?"  and "Crustacean security."

I can't say that my opinion has always been warmly received. After one presentation at an industry forum, I was accused of being an ivory-tower academic who did not have the faintest idea of the realities of corporate networks. I certainly was not alone in my view of perimeter firewalls, but most folks -- from auditors to security textbook authors -- strongly believed in some kind of perimeter-firewall panacea. But things may be starting to change.

Just to be clear, I do not think you should turn off all of your firewalls. I just think you should stop pretending that all of your fellow workers are perfect in their Internet habits and are thrilled with their pay and working environment. Exclusive reliance on a perimeter firewall gives you crustacean security -- security with a hard outer shell, which when (not if) penetrated offers up a tender and easy-to-pick inside.

Surfing to the wrong Web site, opening the wrong attachment or installing the wrong software can crack the shell, as can disgruntled employees. Firewalls close to the resources, such as servers, can be an effective way to protect the resources (as long as the firewalls filter outbound as well as inbound traffic).

The Jericho Forum "a loose affiliation of interested corporate CISOs" affiliated with the Open Group has been making news of late advocating going further than I have argued for in putting firewalls in their place. They also have a cute new term for it: deperimeterization. The Jericho Forum developed a set of security "commandments" that do a good job of covering what many people, including me, would consider an enlightened view of security in depth.