n By Ellen Messmer, 09/13/07
The Jericho Forum, the The dangers of“people poking organization out to convince my software” are going to be corporate executives and the there, he pointed out, and“you’re security industry that they need giving up a layer of security.” to devise security options less But it is possible to plunge dependent on a perimeter into the Internet without defense such as traditional perimeter defense.“I’ve been firewalls, displayed its growing skinny-dipping without antivirus clout in a conference that software. It’s refreshing. Has attracted top design architects skinny-dipping worked for from Microsoft and Oracle and me? It’s worked fine for me, large end-user companies. ”Cheswick said. However placing
The idea of firewall-less “sandbox defenses” around edge is a contentious one, and services is key in his own experi-scores of enterprises, including ence. For businesses today, the Citigroup and JPMorganChase, limitation in foregoing perimeter showed up to hear debate on defense is that“you won’t stop the firewall as necessity or a DDoS attack, so we may still hindrance. Bill Cheswick, lead need a walled garden,” he noted. member of technical staff at Cheswick said one of the AT&T Research and famed as best possibilities offered for an early innovator of firewalls, the future of security is in the kicked it all off with a keynote realm of virtualization software. in which he acknowledged it is “Virtualization lets me build possible at times to go“Internet a machine with a very robust skinny-dipping”—using the sandbox,” he said.
Internet securely without a fire- Carl Ellison, Microsoft’s archi-wall and even antivirus defense. tect responsible for designing
“Can we use the Internet in a improvements in Windows, rich way, safely, without a perim- acknowledged the problems eter defense?” Cheswick posed of what he termed“isolation to the conference attendees. boundaries” that no longer offer
adequate security since many companies today have to open up network holes in them in order to conduct business.
“We’ve been tunneling everything over Port 80 because that one is open in the firewall,” Ellison noted, adding,“The perimeter is gone. It’s been gone. This is a dream that people have that it’s not gone.”
Ellison acknowledged that he, too, enjoys “skinny-dipping in the ‘Net since Windows SP2, and now with Vista. I’m confident because of the host firewall. But we still have to open it up for e-mail, the Web and file-sharing.”
Microsoft servers today can “draw the isolation boundary around the activity,” says Ellison by using what’s called the Microsoft Server and Domain Isolation technology.
Based on IPSec authentication, Microsoft’s technology lets network managers issue a certificate to computers to let them join domains based on security policies and Active Directory groups.
“What’s admitted into the isolation boundary doesn’t have to be a machine belonging only to my company,” he said. But when an audience member asked how it will be possible to track all of
the IPSec connections in this envisioned environment, Ellison had to admit that there are today no good management products to do this.
Like Ches wick, Ellison said one of the best chances to develop the kind of“de-perimeterized security” the Jericho Forum advocates may lie with virtualization. Microsoft, though slower than rival VMware in bringing out virtualization software, said it intends to have a virtual-server product out by mid-2008.
“With what’s coming soon, we can divide machines into multiple addressable things that can join different domains,” said Ellison.“”We plan to implement firewall policies for these domains.”
The Jericho Forum, which now has about 45 member corporations, mostly large European firms but with a swelling roster of U.S.-based ones such as Johnson & Johnson, has sometimes endured swipes from analysts who perceived the group’s mission of “ de-perimeterization” as unrealistic.
But Paul Simmonds, chief information security officer at U.K.-based global paint and chemical manufacturer ICI,
Sponsored by HP ProCurve Networking
ProCurve.com/Choice
References:
Archives