The US Defense Information Systems Agency (DISA) is planning a complete overhaul of its network architecture that could spell the end for conventional firewalls, the organisation's director has said in comments to armed forces media.
US Airforce Lt General Ronnie Hawkins Jr. was quoted as saying that that the US military's IT service wanted to move from a mesh of firewalls towards a design based on protecting data instead of packets.
He didn't expand on how this would eliminate firewalls but hinted at the complexity of having to manage large numbers of firewalls sited on different network segments used by the service.
“In the past, we’ve all been about protecting our networks - firewall here, firewall there, firewall within a service, firewall within an organisation, firewalls within DISA,” he said.
“We’ve got to remove those and go to protecting the data. You can move that data in a way that it doesn’t matter if you’re on a classified or unclassified network, depending on someone’s credentials and their need to know.”
This sounds like a version of the 'de-perimeterisation' debate that passed into mainstream best practice some time ago, although that form of data-centric design would only reduce firewalls rather than remove them entirely.
His remarks are still significant because they set the agenda for all US military IT thinking.
“We want to be able to normalise our networks to where you can have the collaboration and information moving over our networks and you don’t have to have the different firewalls, the separate networks, to get those things done,” he said.
“Additionally, the department can realise significant savings in instrumentation - for example, by moving from 'hard phones' to 'soft phones,' he said, presumably a reference to VoIP telephony.
DISA was still at an early stage in deciding how to use cloud technology, he added, and had yet to plump for one owned by the Defense Department, or to adopt a private or public cloud inside a data centre.
“DISA gets it, they really get it,” wrote Barry Shteiman, a senior security strategist for security firm Imperva in a blog post on the comments.
“Yes, firewalls are important. They help solve network security problems by creating barriers that prevent unwanted network access. But they do not control data access,” he said.
“That’s why I find DISA’s new approach so fascinating. It’s based on the realisation that the threats have changed. Hackers want data like IPs, PINs, credentials, proprietary information, and more. And it’s very easy for them to steal data due to poor security controls or outright mismanagement.”
Shteiman said he believed that DISA would most likely move to role-based data access, and content control, auditing and monitoring.
“Personally I hope that the DISA’s decision becomes a guidepost for other organisations to follow.”