The firewall's fate is up for debate. For more than a decade, firewalls have stood guard at the perimeter of corporate networks to defend against Internet perils. But a growing number of security managers, united under the banner of the Jericho Forum, want to retire this stalwart because they say it hinders e-commerce.
Countering the forum's argument, however, is an equally emphatic collection of analysts, corporate security managers and, not surprisingly, firewall vendors.
"The perimeter is going away? That's baloney," Gartner analyst, John Pescatore, said. "We think the security perimeter that people put around their servers is even more critical today. The perimeter cannot go away and does not get less important in the future."
There's an underlying need that the network must reward good traffic and neutralise suspicious or unknown traffic, Pescatore said. And that means controlling the perimeter is ever more important.
Tearing walls down
The Jericho Forum - the group's name refers to the Biblical walls that miraculously came tumbling down at the sound of trumpets - is on a mission to define a new security architecture. The forum calls knocking down the old firewall, as well as border proxies, a de-perimeterisation process that can be achieved within a matter of years. The mission of its seven dozen members - which include Barclays Bank, Boeing and Eli Lilly - is to make the IT industry aware that it needs a new style of access control and data integrity product that pushes control deep inside intranets.
The Jericho Forum quest to remove the traditional perimeter firewall and still maintain security strikes some as an impossible mission. Check Point Software, the firewall market leader, scoffs at the idea of ditching the firewall.
"First of all, we use the term perimeter security gateway," Check Point's director of market intelligence, Andy Singer, said. "A firewall is a feature for opening and closing ports. There are all these things you can add to the gateway such as VPNs or intrusion prevention."
Singer applauds the forum's effort to get people from all over the world talking about how security might be in 10-20 years - because that doesn't typically happen. But he said their ideas don't make sense.
The perimeter as a security concept would not go away, Singer said. Firewalling had grown beyond network-level products to include application-layer protection that can inspect HTTP-based traffic through Port 80.
Give gateways a chance
Although the forum says the growth of VoIP traffic complicates the situation for firewall use even further, Singer dismisses such concerns as unwarranted. He urges the forum to take a closer look and give perimeter gateways a chance.
Some security managers acknowledge they simply can't envision life without the perimeter firewall.
"We see this as a baseline," chief information security officer at Broadcom, Geoff Aranoff, said.
He didn't see an alternative to having a firewall at the Internet's edge.
Although enabling business partners to gain internal access to Broadcom's network through firewalls required a lot of extra work, it wasn't an impossible obstacle to overcome, Aranoff said.
But the difficulty in enabling collaborative e-commerce through firewalls, plus a growing lack of trust in firewall strength, help explain why the forum wants to see at least one or two walls come down.
Nevertheless, any attempt at giving up the firewall-based DMZ would be corporate suicide, according to Simmonds. He suggested a sudden big bang of firewalls coming to an end is not likely to occur, though some forum members, including BP-Amoco, have managed to displace a few firewalls in their global operations.
The forum, which wants to remain an end-user advocacy organisation, last February opened its doors to vendors, as well. The first large vendor to sign on has been IBM, Simmonds said. Vendors, however, can't vote on workgroup output or sit on the management board.
Qualys CTO and vice-president of engineering, Gerhard Eschelbeck, said the forum's ideas needed to be heard because the perimeter was, in fact, already gone.
"The perimeter protection model has already disappeared, with nearly any protocol being tunnelled via a single open port," he said.
"Firewalls today act mostly as static enforcement points at the perimeter. The industry needs to move security enforcement into the core of the network, and develop a single architecture where systems are dynamically admitted to the network at individual enforcement points.
"This includes the ability to dynamically control network access based on application, credentials of the user, security exposure and health of the individual endpoint systems."
Easier said than done, perhaps.