Are firewalls expendable?

The firewall's fate is up for debate.

For more than a decade, firewalls have stood guard at the perimeter of corporate networks to defend against the Internet's perils. But a growing number of security managers, united under the banner of the Jericho Forum, want to retire this stalwart because they say it hinders e-commerce.

Countering the forum's argument, however, is an equally emphatic collection of analysts, corporate security managers and, not surprisingly, firewall vendors.

"The perimeter going away? That's baloney," said John Pescatore, a Gartner analyst alluding to the concept during his presentation at the research firm's recent IT Security Summit on the future of network security. "We think the security perimeter that people put around their servers is even more critical today. The perimeter cannot go away and does not get less important in the future."

There's an underlying need that "the network must reward good traffic and neutralize suspicious or unknown traffic," Pescatore said. And that means "controlling the perimeter is ever more important."

The Jericho Forum - the group's name refers to the Biblical walls that miraculously came tumbling down at the sound of trumpets - is on a mission to define a new security architecture. The forum calls knocking down the old firewall, as well as border proxies, a "de-perimeterization" process that can be achieved within a matter of years. The mission of its seven dozen members, which include Barclays Bank, Boeing and Eli Lilly, is to make the IT industry aware that it needs a new style of access control and data integrity product that pushes control deep inside intranets.

The Jericho Forum's quest to remove the traditional perimeter firewall and still maintain security strikes some as an impossible mission.

"There really isn't an alternative at the moment and I doubt there will be," says Nigel Fletcher, mobile segment manager at BG Group, a 6,000-employee oil and gas company in the U.K. that has offices and exploration outposts around the world. "A massive leap of faith would be required for this to happen."

Check Point Software, the firewall market leader, scoffs at the idea of ditching the firewall.

"First of all, we use the term 'perimeter security gateway,' " says Andy Singer, Check Point's director of market intelligence. "A firewall is a feature for opening and closing ports. There are all these things you can add to the gateway, such as VPNs, or intrusion prevention."

Singer applauds the forum's effort to "get people from all over the world talking about how security might be in 10 to 20 years - that doesn't typically happen." But he says their ideas don't make sense.

The perimeter as a security concept "will not go away," Singer says. He notes that firewalling has grown beyond network-level products to include application-layer protection that can inspect HTTP-based traffic through Port 80.

Although the forum says the growth of VoIP traffic complicates the situation for firewall use even further, Singer dismisses such concerns as unwarranted. He urges the forum to take a closer look and give perimeter gateways a chance.