Jericho Forum: U.S. network execs clinging to firewalls

American businesses aren’t necessarily buying into the Jericho Forum’s urging to rely less on hardened perimeter security -- firewalls and intrusion detection -- in favor of tougher internal security.

The forum, which is made up of CSOs from some of the largest international corporations, says it sees growing adoption of its once-radical idea that businesses should reduce dependence on firewalls as a way to defend against Internet threats. Nearly half -- 45% -- of those polled by the forum say they are implementing network security that complies with forum recommendations.

Forty-eighty percent say they agree strongly that such a security realignment actually improves their companies’ ability to do business, according to a survey of forum members. About half the members responded to the survey, 64% European and 29% American.

The forum meets Monday in New York, in part to prod U.S. businesses to alter their security architectures in order to defend against deperimeterization, the opening up of corporate networks to let in business partners, contractors, customers and guests.

“The Jericho Forum felt we needed to make a big push to get the message out to our American colleagues,” says Paul Simmonds, a Jericho Forum board member and the global information security director at ICI, a U.K.-based paint and chemical manufacturer. “America isn't up to speed. Absolutely.”

The forum’s keynote address, “40 Years of Internet Security and the Future for Firewalls,” is being delivered by Bill Cheswick, lead member of technical staff at AT&T Research.

The forum’s view of firewalls is that they no longer meet the needs of businesses that increasingly need to let in traffic to do business. Its deperimeterization thrust calls for using secure applications and firewall protections closer to user devices and servers.

But even some of the speakers at the Jericho Forum conference advise moderation. “Deperimterization is never going to be all or nothing,” says Daniel Blum, an analyst with the Burton Group, who is speaking at the conference.

Blum acknowledges that relying on perimeter security too much creates insecurity, but says firewalls and the traditional perimeter will still have a place. “It shouldn’t mean throwing away the perimeter, but it also shouldn’t mean they’re all-knowing and all effective. You have to have a sense of depth,” he says. "Enterprises must shift controls to the endpoints, data center repositories and applications."

Jeffrey Wheatman, an analyst with Gartner, says his firm agrees that businesses need to open up their perimeters more, but Gartner focuses less on endpoint and host security than the Jericho Forum does.

“Their ideas are very good in theory, I just think they're depending on something that is opportunity to provide perfect endpoint security,” he says. “We need to take whatever limited security dollars we have and spend them in the most expeditious and efficient manner until we run out of that money."

In many cases Jericho recommendations rely on technology that is not available and that ignores cost-effective and efficient technologies that can significantly reduce risk, he says. “So if there are certain types of attacks and threats that you can stop at a single or two or three choke points or entry points Gartner feels that is not a bad way -- in fact, in many cases it's a good first step -- of deciding where you make your security investments," Wheatman says.