By Jim Reavis

I am just posting some quick thoughts on our first two Firewall 2.0 Focus Groups, I will have more to say later:

• Everyone agrees that the firewall as currently constituted is providing minimal value. Everyone has built a ton of “helpers” around it that are doing most of the security work.
• By and large, there is no visibility into what is leaving the network tunnelled in Port 80. We need reporting that explains what applications are really being used, and by whom.
• Once an internal PC is “owned”, that outbound Port 80 is possibly an “outside-in” attack, so it isn’t just DLP we are worried about.
• We need to move from Port/IP Address rules to True Application/User (authenticated/identified/located) rules. Eons ago Ports were supposed to represent applications, but that train left the station a long time ago.
• Virtualization. We are building the new mainframe, and applications will be communicating through the virtual backplane, so whatever firewall enhancements we make need to secure the backplane, because we can’t force communications out of the virtual mainframe to be managed by network security devices.

There are several other recommendations I will document later. A few well meaning people have made some postings that this focus group idea isn’t worthwhile and we need to focus on OWASP and securing applications. Guys, I get the importance of that, I did a ton of work for SPI Dynamics for 5 years. However, it isn’t an either/or proposition. Securing apps is crucial, but what about the SSL session from accounting to Bulgaria? Don’t we at least want to try to understand how badly we are owned? It is about layered defenses and I think giving our network ingress/egress points 20/20 vision is worth at least attempting. No, it’s not just a network problem, but it is a big part of the problem.

(Note: we have our first two event dates and locations

March 25th: Chicago

April 1st: Seattle)

By Jim Reavis

This is an open letter to the best and the brightest network security architects to help me on a project to help design the ultimate next generation firewall. Firewall 2.0 to deal with Web 2.0. I am organizing half-day collaboration sessions in several cities and will also organize an online forum once we have completed our initial face-to-face meetings.

The problems we are trying to address are familiar. Firewalls today tend to be blind to the bulk of threats tunneled inside of port 80. Enterprise data leakage is ignored for the most part. Network security architects are required to deploy a variety of security point solutions that do not communicate and integrate well with each other. If the payload is encrypted, forget about it. Meanwhile, technical innovations are bringing new devices and applications into enterprises at a breakneck speed (iPhone anyone?), without regard for security vetting. The problem is getting worse, and we need some out-of-the-box thinking to find the solutions.

Our goal is to get some of the best minds together to collaborate for a few hours hours and talk about key issues that the next generation firewall must address. We hope to brainstorm a few innovative ideas and create a permanent “birds of a feather” group that can discuss these issues on a regular basis together and online.

The events are by invitation only. If you live and breathe network security, please drop me a line.