Steffo's Echolot

Firewalls: No more perimeter security?

"The era of firewalls is over!" I hear people say. What they mean is "The era of perimeter security is over". While the first sentence is absolutely rubbish, the latter is provocative, too strong and needs some clarification. The arguments at the Net-ID conference was that perimter security is like a medieval city wall and no longer appropiate in modern communication infrastructures. To me this sounds very much like arguments from the intrusion detection/prevention community in the late 90's: you allow everybody to walk (surf) around wherever he/she wants to go. Instead of rigid access system (firewall), however, you install cameras to detect if people are vandalizing or otherwising doing harmful things to your IT systems.

I haven't seen a single company touting intrusion detection systems while offering public access to their premises. Folks, let's get real here: firewall are not city walls; firewalls control access to your IT systems and are comparale with the walls of your building. Companies - like cities - have areas which are public (called internet websites) and anonymous access to these places should be granted.

However, there are certain areas where access should be granted only to those who can be identified. Maybe I don't need to know who that person is. I only need to know that persons e-mail address. So if there is a third party which authenticates the user, I can rely on that party. I don't need any other information about who that person is or what his e-email address looks like. Maybe I am only interested in that person's age (in her 20's, 30's or whatever). The same information a concierge can gather. Of cource, a person must have distinct control over what information (age, shoe size) will be visible to whom. That's called federated identity and there are plethora of mechnisms and products to achieve this. Admittedly, there is new Unübersichtlichkeit when it comes to these mechanism.

Instead of getting rid of the perimeter solution, companies might want to add a mechanism to give more data (information, binary downloads etc) to people who willingly give up their anonymous status.

I am not saying that the (more or less) anymous access we have today should be given up. My point is that

1. I don't want to logon again and again to a software's vendor development site, once again to IEEE's or ACM's site (who all have my e-mail address, name etc).
2. I understand, that companies are interested to know a little bit - and I am strict about "little" here - about whose downloading their product (honestly, some data gathering behaviour is clearly not justifiable and is somewhat beyond me)

So, if your firewall is a perimter solution comparable to medieval city walls:

1. Get rid your archaic solution.
2. Identify your real assets (e.g. via a risk analysis).
3. Create as many open spaces as possible for people who want to stay anonymous.
4. Use a perimeter solution (building wall) to protect your assets against those who want to stay anonymous.
5. Use a federated identity solution to allow authenticated access to your assets and to control access based on an authorization model.

Posted at 03:50AM Feb 28, 2007 by steffo in Identity Systems  |  Comments[1]