Thursday, 14 May 2009

An alternative architecture for security

I got an email from a reader of my blog. He wanted to have more information about "non-firewall based" security. This is my answer:
Chris,
Thank you for your email and your comments. It is not a question of replacing the firewall...more of a question of making the firewall a part of the architecture rather then the center of the architecture. Firewalls have traditionally been used to build a supposedly secure wall around the network. However, users on the inside need access to outside resources and many trusted users found on the outside need access to internal resources. In addition, more granular internal security is needed since the corporate LAN is normally not secure enough and does not give enough protection to all resources. The traditional firewall- centric view that treats everything on the outside as malicious and everything on the inside as benign is no longer as useful as it used to be.
A new architecture where each device is capable of protecting itself is needed. To implement this, protection mechanisms must be moved away from the perimeter and be placed much closer to the servers where applications execute and the data is located. All end-systems used for access should have personal firewalls and software that protect them from other network threats. In a world when every system, each server and all clients, are able to protect themselves and only admit authorised users to access data, then the role of the firewall is diminished. In this world, the networks are only used to transport data and the boundary between the internal network and the Internet will become much simpler.
It is possible to create centrally defined policies that govern how all computers that connect to the network should behave. With this model, it easy to offer secure access to all types of services and since all users are treated equally regardless of location. It is now equally easy to offer access for internal users as it is for business partners, home workers and mobile users.
Firewalls can still be present but will in the long run be transformed into systems for data collection for example for intrusion detection (IDS) and intrusion prevention systems (IPS). This new architecture can be compared with modern cities; we no longer build a ring wall around the city and now protection has moved from protection at the perimeter to protection at the source, i.e. to buildings, shops and stores where the assets are located. The streets are just transport paths just like the network will be, and simply having access to the network does not mean that all services are available or even visible to the user.
Regards
Goran

No comments: