A radical approach to security

John Taylor, chief technologist for DuPont's IT department in Wilmington, Del., wants to turn his network inside out.

Like most IT executives who focus on security, Taylor faces a dilemma. He needs to let outsiders, such as business partners, access his network servers. He also needs to provide easy access to the network for employees who are working outside the firewall.

But if his network defenses are porous, how does he keep out viruses? How does he keep out hackers? How does he keep employees inside the firewall from opening executable files that wreak havoc?

One radical fix might involve putting all the client desktops on the Internet, Taylor says. By putting everybody on the outside, network security becomes conceptually easier because the whole notion of the insider goes away.

Taylor emphasizes that this idea is still in the planning stages. "We have a distinctive approach under study. We are figuring out what it will take to roll it out," he says.

More than half of DuPont's 65,000 PCs are portable, and they already go outside the perimeter for legitimate business purposes.

Those laptops are equipped with VPN software from Aventail to ensure a secure connection while the devices are remote. But viruses can infect the laptop and begin to spread when the user connects back at the office.

Main story: The new security battle plan

"I am potentially exposing myself to the risks of pathogens that I can carry back in to the office," Taylor says. "It is potentially lethal stuff coming from all over the place."

Putting all the desktops on the Internet simplifies enterprise security because there aren't any outbound requests going through the perimeter, just inbound requests, Taylor says. Traffic is limited to only what the servers expect, which creates a more manageable situation and a stronger security policy.

"You essentially face two choices, separate desktops from servers or create a private network for the desktops, another for your servers and then apply security," he says.

Taylor says managing two private networks is unaffordable. But because the bulk of his desktops already visit the Internet anyway, his strategy, if implemented, would be to cut the LAN cables between desktops and servers and provide the desktops with added security features such as personal firewalls, antivirus and VPN software, and RSA Security SecurID tokens for authentication.

Taylor understands that this model might not be popular with users, who would need an increased level of technology know-how because they would be required to manage their personal firewall and to pass through new authorization and access control gateways.

"You might think of it as a new form of literacy. In a wired society there's a literacy requirement to maintain your own safety," Taylor says.

He says IT's task would be to make the outsider experience for connecting to the network just as easy as it was when users connected directly over a secure LAN cable. "We can't afford to have a personal mechanic on the help desk for every user. We'd want to reduce that cost to zero," he says.

Christophe Huygens, CTO for Ubizen, says Taylor's idea is intriguing, but he says there are some serious obstacles.

First, personal firewalls, encryption software and other security measures performed on an end user's desktop can be intrusive (lots of pop-up windows, for example) and can use up a significant amount of network resources, slowing down the computer.

"It's difficult to build a secure desktop, and to enforce that the security really stays in place," Huygens says.

Then, there's the whole issue of management. Huygens says he wonders how one would perform tasks such as simple software upgrades through a standard Microsoft or Tivoli Systems management console when the desktops are no longer directly connected to the LAN management console.

In through the outdoor

A radical approach to security

Related Links