Input requested for second edition of "Firewalls and Internet Security"

Most of our enterprise customers have problems defining what their
perimeter actually is. Some of them do not have a perimeter any more,
in the classical physical sense; wireless applications - not just WLAN,
but also the fact that everybody here has a mobile phone and thus a
potential 64k+ connection out of the soft core - have made perimeter
a very fuzzy concept.

Thus, perimeter security - firewalls - is a necessary part of the
whole, but falls perilously short of being an overall security solution.

For network operators, I believe it easier to define what your perimeter
is. One problem is that it is so big and so difficult to control; the
other is, once you have it, what does this actually mean?
As a carrier,
- you have your own security needs / policies
- each of your customers has security needs / policies
and these do not necessarily overlap fully, so knowing your own perimeter
may not be so useful in finding a security solution.

Some carriers I know have started completely "virtualizing" their networks
(using MPLS or whatever) to offer each customer their own security domain.
For customer, read large customers, or a set of customers with a similar
set of security requirements, e.g. dialup users. Then you would need
a perimeter control device (firewall) only where security domains

This could be one way to go, though it (I believe) does not scale well.

Another way could be to fall back to host security completely, and
when in doubt treat any network as hostile. I see some aggressively
growing companies doing this, because with a flurry of
international investments and disinvestments, they have long last
lost any sense of what is internal and external. This is obviously
time-consuming in systems administration, and could possibly lead to a
recurrence of phenomena like the Internet worm in the old times (i.e.
one single vulnerability opens up 10e6 victims immediately, something
firewalls were supposed to cure back then).

So, personally I am just as confused as 10 years ago, just on a much higher
level :slight_smile:
Just my 2 (euro)cents,