Firewall-free security is doable, but not ideal

By Bill Brenner, Senior News Writer 12 Jun 2006 | SearchSecurity.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

Can a network be adequately protected without a firewall? Probably. But then, you could walk from New York to L.A. instead of flying, but why would you?  Jeffrey Wilson  operations manager,  Times Union

But that doesn't mean they're about to rip the firewalls from their own environments.

Their comments come in response to a SearchSecurity.com story Monday about how the SDSC has suffered only one security breach in a period of almost six years, even though the organization doesn't use firewalls.

At the 2006 USENIX Annual Technical Conference in Boston, Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained that his organization has managed to minimize intrusions through host-based security measures that include a centralized configuration management system; regular and frequent patching; and strong authentication that includes a strict ban on plaintext passwords.

Singer said there's a "horrible truth" about firewalls: they have performance problems, are vulnerable to cascade failures and changing one rule on the network can open up a security hole someplace else. He also said firewalls can't protect organizations from malicious users that may be operating inside the perimeter and that many enterprises put too much faith in their firewalls at the expense of other needed defenses.

Readers generally agreed, including Scott Evans, a technical support professional for an Atlanta-based communication technology company who is also working toward a Bachelor's degree in information security. He said he once worked for a company that used a firewall appliance for VPN connections, authentication and routing. The appliance failed one day, and nobody on either side of the perimeter could access any corporate resources.

"This is an example of the company relying solely on the firewall for protection," he said in an email exchange. In his opinion, companies must also rely on a strong security policy that identifies protection requirements for the most important assets; centralizes management of hosts and authentication methods; and emphasizes end-user education.

Still, most readers said it's still better to have a firewall as part of a layered security program. Nearly 80% of those polled by SearchSecurity.com said a firewall isn't a cure-all, but it's a key part of a multi-layered security program. Only 4% said everyone should use a firewall no matter what, and 16% said top-notch security is possible without one.

More on firewalls Firewall and IDS architecture setup for SMBs Firewalls: SMB Buying Decisions

"I do think that many people become complacent having a firewall in place," Jeffrey Wilson, operations manager for the Albany, N.Y.-based Times Union newspaper, said in an email exchange. "They think that the firewall is the network security panacea, which of course it is not. It is only one tool of many that should be in place in any well-configured, Internet-facing network."

Wilson said he's a firm believer in the defense-in-depth philosophy, which includes firewalls, intrusion defense systems (IDS), patching, VLAN configuration, proxy servers, antivirus, strong policies and tools to enforce those policies. "Can a network be adequately protected without a firewall?" he asked. "Probably. But then, you could walk from New York to L.A. instead of flying, but why would you?"

Boston-based IT professional Jim Weiler said the no-firewall approach is probably most achievable in smaller environments with fewer than 100 machines, few configurations and few Internet access points. But, he said in an email exchange, firewalls are a "worthwhile addition to" a layered defense in larger environments, especially ecommerce sites. In fact, some companies must have a firewall for the sake of compliance.

"It's a PCI [Payment Card Industry data security standard] requirement, and would be considered due care and common practice, so from a liability reduction viewpoint it is also necessary," said Weiler, who also manages the Boston chapter of the Open Web Application Security Project (OWASP).

This article originally appeared on SearchSecurity.com.

Tags: Information security management for the midmarket,  Security tools for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program Security tools for the midmarket Why CIOs need to get real about identity and access management in 2010 Free risk management tools and resources for the enterprise IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary