Modernizing Authentication — What It Takes to Transform Secure Access
That's the question some network administrators and security managers have started asking.
With an increasing number of workers going mobile and taking their laptops, smart phones and handhelds on the road with them, the perimeter just isn't the solid wall that it used to be. Add to that the number of consultants and partners who access the corporate network, and the perimeter has become exceedingly porous.
So without a solid perimeter to protect, where does the firewall fit into a company's security arsenal? For years, IT managers protected the network with anti-virus and intrusion detection software and a strong firewall. Are those days over? If there's no one perimeter to stand guard over, does the firewall still factor into a strong enterprise security plan?
''I think the firewall, as we used to know it, is becoming less and less useful,'' says Stamp. ''As a principle level of defense, there's most definitely a shift away from that. A lot of corporate people are saying the firewall just isn't enough anymore. It's just not enough to keep the company safe.''
However, just because the firewall doesn't fit into the same security niche that it always has doesn't mean it's not finding a new place.
''The level of sophistication of attackers these days goes way beyond what a traditional firewall is going to be able to stop. The way we do business has changed a lot since the invention of the firewall, so the way we use the firewall has to change,'' adds Stamp. ''The old model of putting the firewall at the perimeter has become defunct... You put them closer to the assets you need to protect. You end up having lots of firewalls.
''Instead of one big firewall, I might potentially have 5,000 firewalls,'' he notes. ''This is the evolution of the firewall.''
Building an Army
What's happening, analysts agree, is that the firewall isn't going to be retired into IT history any time soon. Its role in enterprise security simply is shifting. Without a strong perimeter to protect, having a main firewall is less efficient. There are too many ways around it.
What is needed to today is an army of firewalls.
Don't think about it as one company network that needs to be protected, says Scott Crawford, a senior analyst with Enterprise Management Associates, an industry analyst firm based in Boulder, Colo. Focus on protecting the information -- wherever it is.
''Perimeter defenses will not go away. They're transitioning but not going away,'' says Crawford. ''There will always be a need to define a boundary between a trusted network and an untrusted network. The question becomes what's the point of access and what's the method of access? And how much can you trust individual users on the network?''
Crawford says it comes down to securing the endpoint, whether it be a desktop, laptop, PDA or VPN connection.
''What we're really doing is taking security policy enforcement that was most commonly associated with the firewall and putting it on the endpoint itself or at the point of connection. We're also enforcing the type and degree of access that systems have with each other... Where we're putting the firewall has changed and security policy enforcement has changed. Security policy management has become more of the order of the day and the firewall has become a tool of enforcement.''
Eric Maiwald, a senior analyst at the Burton Group, an analyst firm based in Midvale, Utah, says IT needs to make sure that it has a component of the perimeter on all mobile devices.
''If I have a laptop with sensitive data or the ability to get back into our data center, or if I'm traveling with that and have it at hot spots and in hotel rooms, I need to protect that system,'' explains Maiwald. ''I have to provide protection to the information that is accessible through that system... We move the protection out to where it's most needed or where the perimeter actually is.
''In some cases the perimeter may be traveling around,'' he adds. ''The perimeter of the organization still exists. We're not depending entirely on one device, the firewall, for all our perimeter protection. That doesn't mean the firewall itself is a useless device. We're just not going to depend upon it as the only perimeter device and we probably never should have.''
Gregg Mastoras, senior security analyst at Sophos, Inc., an anti-virus and anti-spam company with U.S. headquarters in Lynnfield, Mass., says it's important for IT managers to rethink how they use the firewall and how it fits into their security arsenal... and the sooner the better.
''At this point, the network has never been more vulnerable because of mobile workers,'' says Mastoras. ''All these mobile devices give you excellent access anywhere, anytime, but it also gives excellent access to risks... The perimeter has to be rethought.''
Mastoras agrees with Crawford, adding that IT needs to build a ''shell of security'' around the endpoints.
''True security has to sit at the perimeter and at the desktop,'' he says. ''Any device has to be fully protected. Anti-virus, anti-spam and personal firewalls all have to sit there to create a shell of security for the endpoint... There are all these new pathways into the network. We're in a stage of proliferation. That's not going to slow down so security has to be a fast follower.
''The firewall still has its use, even at the perimeter. Just like you need anti-virus at the perimeter,'' he adds. ''But the notion that that's all you need is dead.''