Firewalls: Jericho winner paints new security picture

The first-place entry in the Jericho Forum's competition for a new answer to security maps neatly to the forum's vision of networks that aren't dependent on Chinese walls. The competition, in association with the Black Hat conference group, challenged "any team of technology experts to design a secure architectural solution that is open, interoperable, viable and operates in a de-perimeterized environment."

Principally composed of large companies, the forum argues that perimeter defenses have been rendered useless by Web and e-mail-based attacks, and that hardened perimeters are "at odds with current and/or future business needs."

The companies, frustrated by what they see as continued industry focus on the broken perimeter model, have banded together to influence security thinking, as well as product direction and development, with this competition an important step.

The first-place entry was from Thomas Olovsson and Jamie Bodley-Scott from AppGate Security. Their vision: "The central firewall complex is replaced by a set of distributed firewalls that are placed on all clients and servers. These firewalls are centrally controlled and can dynamically be configured to allow or deny traffic in the network."

A typical use would be users connect to a gateway called a primary point of interface, and go through an identification/ authentication dance (single sign-on); services are requested and the system checks on access authorization and service availability, and then passes on to application servers information about the users' identity and access rights (the servers and services remain invisible to unauthorized users); application servers grant access to bona fide users and block access for all others; traffic is encrypted if needed.

To address the challenge's viability requirement, Olovsson and Bodley-Scott propose use of, in part, commonly available technologies: Kerberos for authentication and authorization; LDAP for centrally storing credentials; and SSL, SSH and IPSec for traffic encryption. Other aspects of the architecture draw from AppGate's managed portal technology.

"Assuming each object can protect itself, the overall security level achieved in this system can be significantly higher than before," write Olovsson and Bodley-Scott. "A major reason for this is that all systems are now protected against hostile traffic regardless of its origin."

It is a compelling story that, as some of the judges in the competition wrote, seems practical. Current firewalls would be redeployed as central systems to collect data used for intrusion detection and prevention.

While the Jericho Forum's basic ideas are viewed by some as radical, if nothing else the group's push is generating some important soul-searching that should benefit us all.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)