Tomorrow’s firewalls

As today’s enterprise firewalls are rubbish, what would be the right firewall solution?

Here’s how it will look like:

  • No deny rules;
  • Source are users and groups that are allowed access – no IP addresses, since those are not relevant;
  • Destinations are applications and groups of applications (defined via XML properties of the Web service in most cases).

One may rightly argue that all of the above should be implemented in
the applications themselves, thus avoiding the need of such firewall.
Maybe. But is all applications on the host can rely on a reusable
component for granting access – that may give benefits in security
management. So there’s still a nich for the brandmauer – although completely transformed.

2 thoughts on “Tomorrow’s firewalls”

  1. It would be nice if we can get rid of the notion of something that is internal or external. I believe that it should be a combination of things, most importantly secure authentication of both the user and resource.
    Network filtering generally only take a few factors into account, source, destination and protocol (nothing above layer 3). Which is more or less correct since they are only operate at the lower layers of the OSI. Fine if you’re only controlling packets and nothing else.
    But once you have applications, it’s time to move up in the OSI stack.
    The so called application aware firewalls (deep packet inspection etc) these days don’t go far enough to effectively protect much more than network acl’s.
    What is needed is something that goes a beyond that of traditional firewalls / ACL’s and start looking at the higher layers not just protocol wise via data comms.

Leave a Reply

Your email address will not be published. Required fields are marked *