Skip Links

E-commerce, security issues challenge network firewall role

Jericho Forum ponders future role of traditional firewall

By , Network World
September 13, 2007 01:58 PM ET

Network World - NEW YORK -- Life behind the network firewall sometimes feels like life behind bars when it comes to today’s collaborative e-commerce, which requires the opening of corporate networks to business partners.

The Jericho Forum, the organization out to convince corporate executives and the security industry that they need to devise security options less dependent on a perimeter defense such as traditional firewalls, displayed its growing clout this week in a conference that attracted top design architects from Microsoft and Oracle and large end-user companies.

The idea of firewall-less edge is a contentious one, and scores of enterprises, including Citigroup and JPMorganChase, showed up to hear debate on the firewall as necessity or hindrance. Bill Cheswick, lead member of technical staff at AT&T Research and famed as an early innovator of firewalls, kicked it all off with a keynote in which he acknowledged it is possible at times to go “Internet skinny-dipping”—using the Internet securely without a firewall and even antivirus defense.

“Can we use the Internet in a rich way, safely, without a perimeter defense?” Cheswick posed to the conference attendees. The dangers of “people poking my software” are going to be there, he pointed out, and “you’re giving up a layer of security.”

But it is possible to plunge into the Internet without perimeter defense. “I’ve been skinny-dipping without antivirus software. It’s refreshing. Has skinny-dipping worked for me? It’s worked fine for me, ”Cheswick said. However placing “sandbox defenses” around services is key in his own experience. For businesses today, the limitation in foregoing perimeter defense is that “you won’t stop a DDoS attack, so we may still need a walled garden,” he noted.

Cheswick said one of the best possibilities offered for the future of security is in the realm of virtualization software. “Virtualization lets me build a machine with a very robust sandbox,” he said.

Carl Ellison, Microsoft’s architect responsible for designing improvements in Windows, acknowledged the problems of what he termed “isolation boundaries” that no longer offer adequate security since many companies today have to open up network holes in them in order to conduct business.

“We’ve been tunneling everything over Port 80 because that one is open in the firewall,” Ellison noted, adding, “The perimeter is gone. It’s been gone. This is a dream that people have that it’s not gone.”

Ellison acknowledged that he, too, enjoys “skinny-dipping in the 'Net since Windows SP2, and now with Vista. I’m confident because of the host firewall. But we still have to open it up for e-mail, the Web and file-sharing.”

Microsoft servers today can “draw the isolation boundary around the activity,” says Ellison by using what’s called the Microsoft Server and Domain Isolation technology.

Based on IPSec authentication, Microsoft’s technology lets network managers issue a certificate to computers to let them join domains based on security policies and Active Directory groups.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News