By Joel Snyder
Network World, August 15, 2005
Original Article on Network World Web Site
Hiding behind a catchy buzzword ("de-perimeterization") and a heap of undebatable aphorisms, the Jericho Forum proposes to be the thought leader on network security in the 21st century. At best, Jericho will help to raise awareness of the usefulness of a defense-in-depth network security strategy. More likely, the forum will end up on the scrap heap of unrealized ideas and wasted effort.
The core of Jericho's thinking is old and obvious enough that security professionals will resonate with the harmonic goodness of the message: Your network should have defense in depth, and that means more than buying a lot of firewalls. Running around to lead that parade-in-progress gives the group credibility and a great base.
Unfortunately, the concept of radical new thinking just doesn't work in information security, something that Jericho's own vision acknowledges - yet ignores, with a Bullwinkle-esque "this time for sure" kind of certitude. If we have learned anything over the past 15 years, it is that large and architecturally elegant ideas die an ugly, lingering and expensive death (consider public-key infrastructure [PKI] identities, X.400 e-mail and ATM to the desktop).
What works is step-wise refinement, the method of successive approximation and the brutal invisible hand of the marketplace. Hence, the Internet, a pastiche of concepts and technologies, each prototyped in a small environment, tested in the real world, and refined to success or abandoned before too many people got hurt.
Look at remote and mobile access, one of the forum's main targets. The problems with IPSec remote access are partially the result of developer tunnel vision, but they are equally the result of a changing environment. It was impossible to get IPSec right the first time, because the world changed. Inexpensive, fast and incredibly insecure Windows laptops, the demise of dial-up and rise of broadband, the need for passwords and the failure of PKI - all happened after IPSec left the gate. Instead, it solved the problems of its day, while opening the market for SSL, VPN and IPSec Version 2 to serve the future.
We now have a healthy, if chaotic, environment with multiple solutions, each measured, evaluated and refined in the real world of implementation. Rapid prototyping wins, because the world is too complex for premeditated design.
The Jericho Forum's answer is to step back and resolve the problems of remote access with a new and creative architecture that will somehow avoid the errors of existing solutions while magically solving today's requirements. This is even more naive than the absurd idea of removing firewalls from network perimeters. Just as today's hot topics (such as endpoint security) hadn't catalyzed when IPSec was developed, the future's new issues are equally opaque to us today. Assuming that a fresh look at the past will help to predict the future serves only to distract us from solving today's problems today.