RE: Forrester Research foresees death of firewalls

[sean.kelly () lanston com]

> From: Rick Smith [mailto:rick_smith () securecomputing com]
> Subject: Re: Forrester Research foresees death of firewalls
>
>
> Regarding this excerpt from a Forrester report:
>
> > > In a section titled "Today's Approach To Security Is 
> Flawed," Forrester
> > > says, "An emphasis on locking everything down has caused 
> most firms to
> > > invest almost exclusively in perimeter security like 
> firewalls.  As a result
> > > of this restrictive approach, many firms are oblivious to 
> new technologies
> > > like application security middleware that enable easy 
> access to corporate
> > > systems.  These companies miss the eCommerce boat as more 
> progressive
> > > competitors seek alternative ways to open up the back-end."
>
> There is a chunk of Machiavellian truth in this, as shown by 
> the finanical
> successes of the long distance telephone, credit card, and analog cell
> phone business: if you generate enough revenue from a service, you can
> absorb a good deal of fraud and still make good profits.

Possibly, though telco's go to extreme efforts to keep fraud as low as
possible and their profit margins these days are quite thin (though the
latter is mostly due to competetion rather than fraud).

> A few years back I attended an Internet trade show with a 
> couple of our
> sales people. The Internet was (and still is) about 
> excitement and risk
> taking and pulling huge profits. Security plays very poorly to that
> mindset. People would instinctively move away from our booth 
> and towards
> the more exciting "Java Enabled!" booths.

The internet fad seems like it might (finally) be fading a tad.  People are
becoming aware that there are security risks, though often they don't
understand computers well enough to know exactly what they are or how they
might be affected by them.  At best, I will assume that people will
ultimately become as aware of computer security as they are of home security
-- ie. pretty much what I've defined above :).

> > > The proposed rules of Inverted Security are: foster openness, shun
> > > complexity, share responsibility, and emphasize 
> accountability.  On this
> > > last point, the report notes, "Real-world business 
> relationships are built
> > > on trust backed by accountability, not prevention."
>
> This is true, but it drives you back to firewalls. If you let 
> every packet
> in, you don't have any accountability.

I think this kind of accountability could be enforced with a public key
identification system.  In order to use any resources you would be required
to identify yourself via this key and you would be allocated resources
accordingly.  There are obviously still ways around this (key could be
faked, etc.) and it doesn't account for things like flood attacks or other
random mischief, but that's what I assume the writer was getting at.

> Personally I think we'll always have firewalls for the same 
> reason we all
> have bigger locks on our front doors than we have on bedrooms 
> or bathrooms.
> The problem is that there isn't that big of a market for "really good"
> front doors with good locks. Most people buy stuff from 
> Menard's unless
> they live in a city apartment, but then they usually must rely on the
> building owner to provide good locks.

People tend to build home security based on three things: ignorance, the
idea that a break-in could never happen to them, and some assessment of
whether their posessions would be attractive to thieves or perhaps the
degree of fear they have of losing what they have.

> > This report sounds more like the "Revenge of the Users".
>
> They deserve their revenge, since security products have tended to be
> excessively authoritarian in tone, and they've had enough of 
> it. I suspect
> we're headed for a period of much greater risk taking, until 
> people get
> sick of having their sites hacked. Once everyone has been hacked a few
> times we might see some interest in serious security.

I doubt it.  People have never taken an interest in home security, why
should computers be different?  I don't think the average person wants to
think about taking measures to protect his stuff, but many may be willing to
pay a bit for the peace of mind that it is protected.  PGP has been around
for ages and no one uses it, even if they do realize that what they do is
sent in plaintext and could be read by anyone.  Why?  Mostly because it's
another step in the mail process and they're lazy.  Security experts have
the wonderful job of being forced to remind people of things they'd rather
not think about and get them to allocate resources for their prevention --
the prevention of a *perceived* risk no less.


Sean