Re: Forrester Research foresees death of firewalls

[Rama Kant <kant () adeptech com>]

I have a copy of this report.  This is a general "management" type of document.

This document *reiterates* some of the basic security principles but, turns
others upside down, e.g., "allow unless explicitly denied" as opposed to
"Deny unless explicitly allowed".   This dictum itself from Forrester
report writers shows the naivety of this report.  It assumes that all
threats are known, existent and non-existent ones.  Is it really possible
to know the whole universe of threats?

Other dictums from this report, namely, Proactive and Accountability are
not new at all.  These security guidelines are followed for any sensible
security implementation.

This report sounds more like the "Revenge of the Users".

I would like to see Foresster follow this approach in their security
implementations.  No respectable security professional will claim firewall
to be a panacea, yet this so called new approach is portrayed as the
security panacea.  For example one of the claimed impact of the "Inverted
Security" is that Encryption export controls will get wiped out!

Rama Kant
Adeptech Systems, Inc.


At 10:05 AM 6/15/99 -0600, SMITH, Michael @Ottawa wrote:
> Forrester has written a report called "Turning Security On Its Head."  The
> basic premise is that "Access denial can't be the rule anymore; it must
> become the exception.  Forrester calls this new approach Inverted
> Security.... By empowering businesses to make more information available to
> a wider audience, Inverted Security will facilitate more compelling Web
> sites and higher value extranets, thus improving return on security
> technology."  What follows are some selected excerpts that deal with
> firewalls and may be of interest to this list.
>
> In a section titled "Today's Approach To Security Is Flawed," Forrester
> says, "An emphasis on locking everything down has caused most firms to
> invest almost exclusively in perimeter security like firewalls.  As a result
> of this restrictive approach, many firms are oblivious to new technologies
> like application security middleware that enable easy access to corporate
> systems.  These companies miss the eCommerce boat as more progressive
> competitors seek alternative ways to open up the back-end."
>
> The proposed rules of Inverted Security are: foster openness, shun
> complexity, share responsibility, and emphasize accountability.  On this
> last point, the report notes, "Real-world business relationships are built
> on trust backed by accountability, not prevention."
>
> Expanding on the notion of sharing responsibility, the report says,
> "Deploying firewalls to deny bad connections, inspect content, authenticate
> users, and encrypt traffic will result in network traffic grinding to a
> halt.  Instead, distribute protection throughout the enterprise using
> routers, Web servers, and application servers.  Unite these components
> through hooks to x.509 certificates, LDAP directories, and policy management
> systems like Axent's Enterprise Security Manager."
>
> Finally, in a sort of footnote to the article, there is a small paragraph
> titled "Firewalls are overblown."  "According to Jeff Schiller, security
> area director for the Internet Engineering Task Force, 'Firewalls have set
> the security industry back years.  Not only are many firewalls riddled with
> holes, but they assume that there is a perimeter at the edge of the company,
> which just isn't true for the virtual corporation.'  Firewalls aren't all
> that bad -- they have provided a stopgap measure for initial Internet
> security problems.  However, we concur with Shiller [sic] that firewalls are
> no panacea.  But before they get ripped out entirely, firewalls will
> continue in their roles as enforcement points."
>
> J. Michael Smith
> Senior IT Security Consultant
> EDS Systemhouse
> 613-236-6604 ext. 1646