Firewall Wizards mailing list archives
RE: Forrester Research foresees death of firewalls
From: sean.kelly () lanston com
Date: Thu, 17 Jun 1999 12:16:44 -0400
From: Rick Smith [mailto:rick_smith () securecomputing com] Subject: Re: Forrester Research foresees death of firewalls Regarding this excerpt from a Forrester report:In a section titled "Today's Approach To Security IsFlawed," Forrestersays, "An emphasis on locking everything down has causedmost firms toinvest almost exclusively in perimeter security likefirewalls. As a resultof this restrictive approach, many firms are oblivious tonew technologieslike application security middleware that enable easyaccess to corporatesystems. These companies miss the eCommerce boat as moreprogressivecompetitors seek alternative ways to open up the back-end."There is a chunk of Machiavellian truth in this, as shown by the finanical successes of the long distance telephone, credit card, and analog cell phone business: if you generate enough revenue from a service, you can absorb a good deal of fraud and still make good profits.
Possibly, though telco's go to extreme efforts to keep fraud as low as possible and their profit margins these days are quite thin (though the latter is mostly due to competetion rather than fraud).
A few years back I attended an Internet trade show with a couple of our sales people. The Internet was (and still is) about excitement and risk taking and pulling huge profits. Security plays very poorly to that mindset. People would instinctively move away from our booth and towards the more exciting "Java Enabled!" booths.
The internet fad seems like it might (finally) be fading a tad. People are becoming aware that there are security risks, though often they don't understand computers well enough to know exactly what they are or how they might be affected by them. At best, I will assume that people will ultimately become as aware of computer security as they are of home security -- ie. pretty much what I've defined above :).
The proposed rules of Inverted Security are: foster openness, shun complexity, share responsibility, and emphasizeaccountability. On thislast point, the report notes, "Real-world businessrelationships are builton trust backed by accountability, not prevention."This is true, but it drives you back to firewalls. If you let every packet in, you don't have any accountability.
I think this kind of accountability could be enforced with a public key identification system. In order to use any resources you would be required to identify yourself via this key and you would be allocated resources accordingly. There are obviously still ways around this (key could be faked, etc.) and it doesn't account for things like flood attacks or other random mischief, but that's what I assume the writer was getting at.
Personally I think we'll always have firewalls for the same reason we all have bigger locks on our front doors than we have on bedrooms or bathrooms. The problem is that there isn't that big of a market for "really good" front doors with good locks. Most people buy stuff from Menard's unless they live in a city apartment, but then they usually must rely on the building owner to provide good locks.
People tend to build home security based on three things: ignorance, the idea that a break-in could never happen to them, and some assessment of whether their posessions would be attractive to thieves or perhaps the degree of fear they have of losing what they have.
This report sounds more like the "Revenge of the Users".They deserve their revenge, since security products have tended to be excessively authoritarian in tone, and they've had enough of it. I suspect we're headed for a period of much greater risk taking, until people get sick of having their sites hacked. Once everyone has been hacked a few times we might see some interest in serious security.
I doubt it. People have never taken an interest in home security, why should computers be different? I don't think the average person wants to think about taking measures to protect his stuff, but many may be willing to pay a bit for the peace of mind that it is protected. PGP has been around for ages and no one uses it, even if they do realize that what they do is sent in plaintext and could be read by anyone. Why? Mostly because it's another step in the mail process and they're lazy. Security experts have the wonderful job of being forced to remind people of things they'd rather not think about and get them to allocate resources for their prevention -- the prevention of a *perceived* risk no less. Sean
Current thread:
- Re: Forrester Research foresees death of firewalls, (continued)
- Re: Forrester Research foresees death of firewalls Adam Shostack (Jun 20)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 20)
- Re: Forrester Research foresees death of firewalls Adam Shostack (Jun 21)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 20)
- Re: Forrester Research foresees death of firewalls Kevin T. Shivers (Jun 20)
- Re: Forrester Research foresees death of firewalls Paul D. Robertson (Jun 20)
- Re: Forrester Research foresees death of firewalls Joseph S D Yao (Jun 21)
- RE: Forrester Research foresees death of firewalls sean . kelly (Jun 16)
- Re: Forrester Research foresees death of firewalls Robert Graham (Jun 20)
- Re: Forrester Research foresees death of firewalls Bennett Todd (Jun 21)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 21)
- Re: Forrester Research foresees death of firewalls Bennett Todd (Jun 21)
- RE: Forrester Research foresees death of firewalls sean . kelly (Jun 20)
- RE: Forrester Research foresees death of firewalls sean . kelly (Jun 21)
- RE: Forrester Research foresees death of firewalls Doug Hughes (Jun 22)
- Re: Forrester Research foresees death of firewalls Stephen P. Berry (Jun 22)
- RE: Forrester Research foresees death of firewalls Doug Hughes (Jun 22)
- FW: Forrester Research foresees death of firewalls Harvey Nusz (Jun 21)
- Re: FW: Forrester Research foresees death of firewalls Darren Reed (Jun 22)
- Re: FW: Forrester Research foresees death of firewalls David LeBlanc (Jun 22)
- Re: FW: Forrester Research foresees death of firewalls Darren Reed (Jun 22)
- Re: Forrester Research foresees death of firewalls Adam Shostack (Jun 20)