Why network firewalls and mainframes are still security favorites
July 3, 2012 | ITNews.com
Network firewalls and mainframes are old technology, but despite calls over the years to do away with one or the other, they remain in widespread use. As to why, just ask IT professionals who manage large networks.
"We have three times the amount of firewalls than seven or eight years ago," says Andrew McCullough, lead infrastructure security architect in the information security and compliance department at Motel 6.
Firewalls used to be assigned mainly to the perimeter of the network, but over time Motel 6 has been building up defenses internally to protect against attacks on Web applications and databases, plus conforming to Payment Card Industry rules to protect cardholder data. That has meant more firewalls that can handle higher bandwidth, and Motel 6 uses the Crossbeam X-Series platform, which can also support intrusion-prevention systems and antivirus filtering.
About eight years ago, advocacy group Jericho Forum gained considerable attention as IT professionals at enterprises and government who were associated with it raised strong criticisms about the network firewall as a barrier to e-commerce around the globe. Some advocated phasing out network firewalls altogether while pushing vendors to come up with alternatives, especially cloud-based security.
McCullough says network firewalls have at times been an impediment to e-commerce. Back in 2006, as online booking of hotel rooms had become a very important means to keep customers coming to the hotel chain, Motel 6 faced "significant issues" because even new firewalls the company had put in were interfering with the smooth flow of booking rooms through the central reservation system in the volumes that were seen online.
"There were very high session counts," says McCullough, declining to name the firewall in use back then. The problem wasn't so much a bandwidth issue as unexpected difficulties with "lots of small packets" associated with reservations and availability requests, plus updated rates, he says.
The situation was hitting a wall in terms of response times for users. Motel 6 management was growing increasingly concerned as it became clear that customers not only got a bad impression from the slow online reservation system, but got fed up and were moving to other hotels. That prompted the Motel 6 IT department to make a review and test of firewalls to replace even the news ones they had, coming up with the Crossbeam X-Series that have grown from supporting 8Gbps throughput to 10 times that and more at present, says McCullough.
"Firewalls have become more central to our infrastructure" than they were just eight years ago, he notes. In one Crossbeam chassis, it's now possible to run 6 independent firewalls, cordoning off internal networks. This configuration also helps cut down on "tap sprawl" related to network ports, reduce risk and not create additional latency, says McCullough. But he acknowledges the multi-application Crossbeam platform, which requires support from three members of the security team, does take time to learn and troubleshoot.
Security through the mainframe
Another older technology, the mainframe, which industry pundits in the 1990s said would be "dead" in five years, is not only still very much alive, but a foundation element in security at many places. Just ask Bridget Dancy, chief information officer at the Cook County Circuit Court in Illinois.
"We do all data entry into the mainframe," says Dancy, discussing how almost 2,000 employees in the circuit court system in Illinois rely on thin-client technology provided by HP that makes use of a Citrix farm to host XP-embedded applications related to the court's electronic filing system. This has resulted in a useful "lockdown" that not only prevents users from getting to the Internet, but also from opening harmful files that could be viruses, says Dancy. All data is entered into electronic records stored centrally in the IBM mainframe, and it can be accessed by authorized staffers at the various court locations.
This mainframe/thin client setup has meant the county court system has managed to avoid virus outbreaks known to hit other parts of Illinois government over the years, she adds. The mainframe/thin client arrangement has worked so well for the needs of the court system over the years, the same type of configuration has put in place as terminals for the public visitors for information and document review purposes only.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
View more news... |