Firewalls

"Firewall"... the name itself conjures up vivid images of strength and safety. What executive wouldn't want to erect a flaming bastion of steel around the corporate network to protect it from unseemly elements lurking on the public Internet? Unfortunately, this imagery no longer matches reality. In recent years, companies across all industry segments have been gradually tearing down the walls that once isolated their private networks from the outside world. Internet-based technologies have allowed significantly tighter links with customers, remote employees, suppliers, and business partners at a fraction of the cost. In many industries, it is no longer possible to remain competitive without extending the virtual corporation far beyond its previous boundaries. With so many users rapidly approaching the enterprise from different points of entry, it is no longer possible for yesterday's security technology to adequately protect private networks from unauthorized access. The vast majority of firewalls in use today serve only as a passive enforcement point, simply standing guard at the main door. They are incapable of observing suspicious activity and modifying their protection as a result. They are powerless to prevent attacks from those already inside the network and unable to communicate information directly to other components of the corporate security system without manual intervention. Recent statistics clearly indicate the danger of relying on passive security systems in today's increasingly interconnected world. According to the FBI, corporations reporting security incidents last year lost an average of $570,000 as a direct result, a 36 percent increase from the year before (1998 Computer Crime and Security Survey FBI/Computer Security Institute). And since the vast majority of security breaches are never reported, actual losses may be even higher.

In perhaps the most frightening statistic of all, it is estimated that as many as 95 percent of all computer security breaches today go completely undetected by the companies who are victimized. In a well-publicized security audit conducted recently at the Department of Defense, security consultants were asked to attack the DOD network and report back on their findings. Over a period of several months, auditors reported that fewer than 4 percent of all systems broken into were able to detect the attack. Even more disturbing, fewer than1 percent responded in any way to the attack (Report on Information Security, GAO).