fred avolio's musings

Another “ground-breaking column” in Network Magazine, (do we still say “in” when it is “on” the web page?). No, I am being unduly sarcastic. As I will suggest, it is not their problem, but ours. The column, by Art Wittman is Security Is an Architecture, Not an Appliance. The premise: “The idea that security starts and ends with a prepackaged firewall is simply misguided.” His column is right on target. But, don’t we know this already? (And I suppose we do, but many people do not.) A search for “Firewalls are not enough,” turns up 649 hits, including a paper I wrote that originally appeared in the Proceedings of the 17th National Computer Security Conference… in October 1994 and another I wrote—the cover story—for Information Security Magazine, “Firewalls: Are We Asking Too Much?” That was in May, 1999.

What new information does Wittmann’s add? None, really. And to be fair, it is really just meant to be a lead-in to the magazine’s current (not sure what month—I cannot tell from their web page) current issue that discusses host-based IPS technologies.

This seems to me to be part of the trends I related in “History Lost” and “The Same Old Drum Beat.” Yes, application-specific controls are needed. Yes, firewalls are not and never have been enough. Nevertheless, we apparently have and continue to communicate to those with less clue than we have (see Seven Things to Help Keep Sanity and Equilibrium) that they are. I suspect, as I have for quite a few years, that the problem stems from the dilution of the network security clue-pool with those who took a course or two, got certified, and hung out a “security” shingle. As I rapidly approach a half-century of life, I am not suggesting anything radical. Just that the lack of practical experience may be part of the problem, and—as I suggest elsewhere—may be what leads us to repeatedly cover the same ground. I am not just ranting here, but I have no solutions to offer except that people do their homework. Some of our latest discoveries were already discovered many years ago.

Erling Jepsen wrote from Denmark with these observations and pointers: I’m doing my masters thesis on security aspects of Service oriented architecture (SOA) and this is one thing that I’ve started to wonder myself. SOA introduces a new set of challenges to security. One is that organizations can not anymore tie themselves down behind a DMZ, because the people who are accessing our data could be sitting inside or outside the organisation and because there would be external partners also requesting information – a whole new. The Jericho Forum calls this de-perimeteriazation. In order for security to properly match the extra abstraction layer, which SOA has adhered to, it will itself have to rise – so I think formulating a security architecture would be interesting. Just my 5 cents of comments (or 25 re as the equivalent is here in Denmark) Thanks for the pointer, Erling. I never heard of The Jericho Forums before.