What’s a network firewall good for? The Jericho Forum conference prompts debate.
NEW YORK -- Life behind the network firewall sometimes feels like life behind bars when it comes to today’s collaborative e-commerce, which requires the opening of corporate networks to business partners.
The Jericho Forum, the organization out to convince corporate executives and the security industry that they need to devise security options less dependent on a perimeter defense such as traditional firewalls, displayed its growing clout this week in a conference that attracted top design architects from Microsoft and Oracle and large end-user companies.
The idea of firewall-less edge is a contentious one, and scores of enterprises, including Citigroup and JPMorganChase, showed up to hear debate on the firewall as necessity or hindrance. Bill Cheswick, lead member of technical staff at AT&T Research and famed as an early innovator of firewalls, kicked it all off with a keynote in which he acknowledged it is possible at times to go “Internet skinny-dipping”—using the Internet securely without a firewall and even antivirus defense.
“Can we use the Internet in a rich way, safely, without a perimeter defense?” Cheswick posed to the conference attendees. The dangers of “people poking my software” are going to be there, he pointed out, and “you’re giving up a layer of security.”
But it is possible to plunge into the Internet without perimeter defense. “I’ve been skinny-dipping without antivirus software. It’s refreshing. Has skinny-dipping worked for me? It’s worked fine for me, ”Cheswick said. However placing “sandbox defenses” around services is key in his own experience. For businesses today, the limitation in foregoing perimeter defense is that “you won’t stop a DDoS attack, so we may still need a walled garden,” he noted.
Cheswick said one of the best possibilities offered for the future of security is in the realm of virtualization software. “Virtualization lets me build a machine with a very robust sandbox,” he said.
Carl Ellison, Microsoft’s architect responsible for designing improvements in Windows, acknowledged the problems of what he termed “isolation boundaries” that no longer offer adequate security since many companies today have to open up network holes in them in order to conduct business.
“We’ve been tunneling everything over Port 80 because that one is open in the firewall,” Ellison noted, adding, “The perimeter is gone. It’s been gone. This is a dream that people have that it’s not gone.”
Ellison acknowledged that he, too, enjoys “skinny-dipping in the 'Net since Windows SP2, and now with Vista. I’m confident because of the host firewall. But we still have to open it up for e-mail, the Web and file-sharing.”
Microsoft servers today can “draw the isolation boundary around the activity,” says Ellison by using what’s called the Microsoft Server and Domain Isolation technology.
Based on IPSec authentication, Microsoft’s technology lets network managers issue a certificate to computers to let them join domains based on security policies and Active Directory groups.
“What’s admitted into the isolation boundary doesn’t have to be a machine belonging only to my company,” he said. But when an audience member asked how it will be possible to track all of the IPSec connections in this envisioned environment, Ellison had to admit that there are today no good management products to do this.
Like Cheswick, Ellison said one of the best chances to develop the kind of “de-perimeterized security” the Jericho Forum advocates may lie with virtualization. Microsoft, though slower than rival VMware in bringing out virtualization software, said it intends to have a virtual-server product out by mid-2008.
“With what’s coming soon, we can divide machines into multiple addressable things that can join different domains,” said Ellison. “”We plan to implement firewall policies for these domains.”
The Jericho Forum, which now has about 45 member corporations, mostly large European firms but with a swelling roster of U.S.-based ones such as Johnson & Johnson, has sometimes endured swipes from analysts who perceived the group’s mission of “de-perimeterization” as unrealistic.
But Paul Simmonds, chief information security officer at U.K.-based global paint and chemical manufacturer ICI, member of the board at the Jericho Forum, this week sought to clarify that the group does not endorse the end of the network firewall.
“We never said we didn’t want any firewalls,” said Simmonds. “We’re simply saying, understand why you’re using a firewall and its limitations. You might end up using more firewalls if it reduces your attack surface.”
However, Simmonds added, “In a large corporate network, it’s good as a quality-of-service boundary but not as a security service.”
He noted in his own presentation that the emergence in the past decade of business-to-business and business-to-consumer commerce over the Internet, along with wireless, outsourcing and offshoring, means that "de-perimeterization for most corporations is a fact of life. It’s happening whether you realize it or not. There is today a mismatch of the legal business border, the physical border and the network perimeter.”
By way of example, Simmonds pointed out that to do business with Wal-Mart, it’s necessary to establish a direct connection between the separate enterprise-resource planning (ERP) systems. “They will insist you punch a hole through to them so we can sell paint and they place orders,” he noted. This situation is increasingly the norm, leaving the firewall as a perimeter full of holes.
Simmonds said the Jericho Forum is condemning voice over IP (VoIP) in general as “not business-ready” because it's insecure, rarely economical and has “no patch process for all system components.”
The goal is to “find a security model that fits your business,” and the Jericho Forum is simply trying to find “a more balanced mix” that goes beyond viewing the firewall as essential said John Meakin, group head of information security at Standard Chartered Bank, and a Jericho Forum member.
Among the vendors that appear increasingly aware of Jericho Forum’s suggestions — not to mention its members’ potential buying power — is Oracle, which dispatched its principal architect for identity management, Nashant Kaushik, to give the conference attendees a view on Oracle’s future product direction.
Kaushik described Oracle’s Fusion initiative to develop software it will deliver next year in all its applications to provide “identity as a service” by separating out user and machine identity sources from underlying applications.
“This concept of identity as a service externalizes it in a common enterprise layer,” Kaushik said. “As a collaborative metasystem, the next step is if a business partner exposes information about workers, then others can plug into that service.”
“This dovetails with de-perimeterization,” he added.
At the conference, analysts invited to speak sought to find common ground with the Jericho Forum’s views, acknowledging there have been spats and disagreements.
“There seems to be some conflict with what Gartner preaches and what Jericho says,” acknowledged Jeffrey Wheatman, Gartner analyst who spoke on the topic of security and privacy at the Jericho Forum conference.
But he admitted “the old-style DMZ [de-militarized zone] just doesn’t work anymore, it doesn’t support Web 2.0, dynamic content and AJAX.”
Wheatman said, ”The perimeter, with its bastion server and DMZ, just doesn’t work any longer. In a world where folks have 2,000 rules in their firewalls, adding rules in response to business problem doesn’t work.”
While the road ahead isn’t necessarily clear, technologies such as virtualization may end up making a difference for security, Wheatman said. “The Jericho Forum doesn’t say the perimeter is going away. The edge will change, but it won’t go away.”
In his presentation, Daniel Blum, senior vice president and analyst at the Burton Group, said “I don’t see de-perimeterization as an all-or-nothing proposition,” adding, “enterprise security architecture must change to shift the controls from the network to the endpoints, data centers, information repositories and applications.” He added: “the single firewall model is busted.”
In response to the question whether organizations should stop buying firewalls, Wheatman responded: “Don’t stop buying firewalls. Organizations are depending on firewalls to do everything.”
But Simmonds replied, “If Jericho Forum has its way, there are no edge firewalls anymore and no need for a firewall.”