Why strong walls are not enough

Back in the old days of network security, keeping people out was the whole point of the game. That usually meant putting up a firewall and calling it a day.

During the past decade, however, the picture has changed dramatically. Nowadays, employees access corporate networks remotely from home, airports and hotels. Companies are opening up their networks to partners, suppliers and customers. Throw wireless and web services into the mix, and the result is a porous perimeter that some say is disappearing altogether.

So what does this mean for security? And where does it leave the traditional trappings of security such as firewalls and anti-virus? Most security experts agree that new strategies are needed, but they are not all willing to toss aside the existing technologies.

"As the view of network boundaries changes from the traditional 'inside versus outside' approach to 'connect wherever, whenever,' companies must shift how they look at securing their environment," explains Lisa Johnson, global information security manager at Nike.

"Companies will need to accept that all individuals and devices connecting to their network are untrustworthy. Because of this, more focus must be placed on ensuring the valid identity of anyone wishing to access corporate data and in protecting the data itself."

This shift means that security solutions will need to address identity management and digital rights management, she continues. However, it does not negate the importance of firewall and intrusion-detection technologies. "Rather, it means that they will need to be deployed in a broader manner," says Johnson, "still in key perimeter points, but also closer to where the data is stored."

Dan Geer, vice-president and chief scientist of security firm Verdasys, agrees that the shrinking perimeter requires companies to focus on data-level security, but he sees less of a role for traditional security tools. While firewalls can keep "vandals and trash" out, he says, companies need to guard against bigger threats to their individual information assets.

"The information is where the value of the company is – at least for some classes of companies – and the threat is probably increasing... At some point, you have to say 'We need to circle the wagons around the things that are valuable.' That's the data," he says.

Companies can use access control and authentication mechanisms to protect their data, but those systems become more costly to maintain as businesses grow or decide that they want to refine access, argues Geer. The alternative is accountability.

"The idea of accountability is to let people do what they need to do, but to say that if the authority we grant them is misused, there will be a payment due on that," he explains.

The accountability strategy makes more economic sense compared to a hodgepodge of firewalls, IDS, patch management and anti-virus technologies, which don't back each other up if one fails and require regular "fire drills" – that is, signature updates or port closings to fend off new attacks – thereby increasing management costs, he maintains.

Yet even data-level security has its limitations, counters Rob Clyde, a vice-president and chief technology officer at Symantec.

"Data-level security is probably a prerequisite to a web services application environment with less perimeter security, but it will not solve the problem by itself," he says.

"The most common type of attack to be defended against remains malicious code. In most instances, data-level security will not protect against malicious code. If the client or the server host system becomes infected, data-level security can't be trusted either."

Even though mobile computing continues to increase, it doesn't mean network security will disappear, believes Clyde. For example, many companies using SSL VPNs and web services to facilitate remote access still use gateway security around the servers.

Looking ahead, he foresees gateway security remaining key and network intrusion detection continuing to be effective, but adds that securing clients with personal firewalls, anti-virus and intrusion prevention becomes critical when client systems are placed outside the firewall. Policy-based endpoint compliance helps to ensure that systems are complying with security best practices before they are allowed to connect, he adds.

Indeed, the increasing permeability of the perimeter doesn't necessarily mean companies should throw out their existing security technologies but rather add additional layers on top of them, says Diana Kelley, security technology strategist at Computer Associates.

"The crunchy outside shell of the network and soft chewy marshmallow [inside] doesn't exist. We really need to move to a jawbreaker model that's hard all the way through, down to every device, every application," she advises.

That means writing all applications, whether they come off the shelf or are custom applications, as securely as possible, she says. It also means deploying personal firewalls, anti-virus and access control on every single device in the organization.

Even firewall giant Check Point Software Technologies acknowledges that perimeter protection alone just does not cut it anymore.

"A traditional firewall is still absolutely necessary, but there also needs to be defenses used inside of the network to add to the crunchiness to the internal network," says Gene Manyak, Check Point product marketing manager.

Like Kelley, Manyak believes that enterprises need to deploy layers of security – at the department and group levels as well as the endpoints. However, all these layers of security open up the huge need for management capabilities, he adds.

"When you're starting to look at security at every single level, on all of the devices, all of the servers, you have a lot of events and reporting happening," says Manyak. "And every network has multiple vendors and vendors report differently... So how do you take that different information and begin to normalize it?"

In the foreseeable future, predicts Manyak, firewalls will continue to be regarded as the "primary security enforcement point," even as companies look to secure their internal network.

Kelley, meanwhile, says companies shouldn't forget the security lessons already learned as they address the evolving environment of connectivity. Businesses need to assess how porous their perimeter has become – a perimeter firewall might still fit the bill for some, while others might need to deploy additional layers.

"Security concepts are still security concepts," says Kelley. "We still need access and integrity and confidentiality and availability. It's still the same tenets. They've just expanded."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.