As today’s enterprise firewalls are rubbish, what would be the right firewall solution?
Here’s how it will look like:
- No deny rules;
- Source are users and groups that are allowed access – no IP addresses, since those are not relevant;
- Destinations are applications and groups of applications (defined via XML properties of the Web service in most cases).
One may rightly argue that all of the above should be implemented in
the applications themselves, thus avoiding the need of such firewall.
Maybe. But is all applications on the host can rely on a reusable
component for granting access – that may give benefits in security
management. So there’s still a nich for the brandmauer – although completely transformed.