This is cache of http://1raindrop.typepad.com/1_raindrop/2008/07/the-network-firewall-is-a-consensual-hallucination.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
The Network Firewall is a Consensual Hallucination
2008-07-18 11:04:34 by Gunnar Peterson in 1 Raindrop
 

James McGovern asks why we don't see enterprisey folks focusing on SOA *and* security? Well there are a lot of reasons here, but lets look at some facts. Most enterprisey folks look at security in binary terms - inside the firewall or outside the firewall. When a transaction is "inside the firewall" they can do silly things like load all their transaction on to something like MQ Series with no authentication, send it to the mainframe which runs their entire book of business, and in essence run their transactional backbone on anonymous ftp. Because its "inside the firewall"


Problem is - its just a Visio drawing, its not reality, its historical baggage. We were trained to think about things in these terms in the 90s

Goodstuffbadstuff

But the business and software worlds have changed a bit from the early 90s, even if security tooling hasn't


Innovatecompare_2

If you sent an alien from outer space to observe what an enterprise looks like today, and asked that alien to file an objective report as to the actual connections and message exchanges it wouldn't look like the idyllic, clear separation of good stuff from bad stuff, it would look like this


Thenetwork


There is no firewall in any meaningful sense, there are links, federations, communities of interest, business units, integration points, outsourcing arrangements, business processes. In short, there is information and commerce in all its messy vitality. 

Inside the firewall and outside the firewall is not a security architecture, its historical cruft a Victorian, industrial age artifact that snuck into your Visio, not something that protects your businesses' applications and data.

If you want to let the world access your maifnrame, SAP, Siebel, or whatever so they can buy things from you, that is probably a really good idea. But don't assume that RACF or what have you came down on stone tablets from Moses. Just because your transaction is "inside the firewall" doesnt mean that your security model can only focus on resources and objects in isolation. It has to focus on how your business just broke everything apart and then re-connected everything. The subjects are different, the sessions are different, and the transactions are different. Just because the objects and resources are the same and are "inside the firewall" means little when all the context and all the relationships are different.

The world is not firewalled, its federated. Just because its convenient for enterprisey folks to buy into the same hallucination doesn't make it reality.

Next week, I am speaking at Ping's SSO Summit on Web Services SSO basically everything that happens after you press "SUBMIT" on a website. Your data has a journey as dangerous as Frodo Baggins' travels through Mordor. The talk traces the path from the website through the perils that lurk in the enterprise and legacy systems, we will look at ways to get Frodo and Sam home safely and we won't rely on Visio firewalls where Mithril is required.

Ghostseparationwall

(Note - Thanks for reminding me of the analogy Jim)
 
Tags: firewall, business, security, security model, business units, inside, enterprisey folks, security architecture, business processes
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia