Times are changing for the bulwark of digital security.
Perimeter security is dead, right? Not so long ago Brian Dye, senior VP of information security at Symantec, announced antivirus had cease to be and, since his remarks, many others have piled in to denounce the firewall in similar terms.
Speaking in May Eddie Schwartz, then of Verizon, summed up the pessimism of digital security: "We’ve created what looks like the semblance of security and the bad guys pretty much drive around the perimeter and do whatever they want."
Those of a mind with him are falling back behind internal defences, with segmenting, restricted access and analytics taking up the strain. So where does this leave the humble firewall?
The growing tendrils of the corporate firewall
Ashish Patel, McAfee’s regional director of network security for the UK and Ireland, believes the firewall can still deal with pretty much all the basic attacks by so-called "script kiddies" copying code from the internet, equating to 80% of threats. "If you leave it in the corner doing its job it will do it well."
But what of the other 20%? Patel reckons "the majority" of the "low and slow attacks" are blocked by the firewall too. "I don’t think any organisation should be guaranteeing 100% protection, but what you can guarantee is to be able to work hard towards that figure."
The trouble for optimists like Patel is that security is about to have a crisis, if it is not arguably in the middle of one already. The internet of things (IoT) is threatening to connect every device in a person’s house, while businesses are increasingly beset by the trend of bring your own device (BYOD) – adding up to a headache for computer managers.
Patel believes we are about to enter a new era of the firewall. "Firewalls that are future proof have to be adaptable. It’s very much about the firewall changing and adapting to the situation." He wants other software to send information back to the corporate hub, leaving the firewall at the centre of security.
Security is like onions – it has layers
Other are not so sure that the destiny of the firewall is at the centre. Neil Thacker, information security and strategy officer EMEA at Websense, believes in a two tiered approach.
Tier one will include things such as firewalls and intrusion prevention systems (IPSs), pitched as a basic security layer. Stacking on top of that is analytics, which allows companies to study the attack strategies of more advanced hackers, and take action to prevent and recover from the attacks in the future. Who better to learn security from then criminals?
Thacker added that the industry has seen a move away from the traditional service disruption of mischief makers, such as hacktivists, who caused many of the more infamous exploits of the earlier years. "They know to actually damage a company they need to go and steal some data and put it up on github."
Intellectual property theft has been a key complaint against Chinese hackers working for the state, with pressure mounting for the US government to take action against it. Much of the value of Western companies is in what they know rather than what they have made, and security must now reflect this.
If it cannot protect all the data security is determined to protect the most valuable parts. Labelling the most valuable information and restricting access is one part of that, though Thacker doubts whether it is enough. "It’s not really a control because people can change their labels," he said, adding that it works better as a means of identifying owners.
An uncertain future with certain profits
Whether firewalls are effective or not, they still seem to be selling. Gartner analyst Greg Young said firewalls accounted for the biggest segment of the digital security market at a value of $8.7bn, a figure expected to rise to $9.7bn by the end of the year.
Despite the alleged death of perimeter security, nobody is suggesting the technology is redundant, merely that it may have reached its potential."You can’t just rely on a firewall, you need to look across a number of layers," said Martin Borrett, director of the IBM institute for advanced security in Europe.
In the end firewalls do not prevent all viruses any more than toothpaste prevents all gum disease. But few dentists would tell you to go to bed without brushing.