Tear Down This (Fire)wall!

My company sells software that allows users to login to non-Windows computers by using their Windows (Active Directory) credentials. We enable users to have a single username and password that works across all Windows, UNIX, Linux and Mac OS X systems.

While there are several “vertical” markets in our space (retail, financial, government) one particularly interesting one is the educational market. Schools, universities in particular, frequently run many different operating systems and frequently need to provision (add) and deprovision (remove) user accounts as students enroll and graduate (or fail to graduate!).

Microsoft Active Directory performs authentication by using the Kerberos protocol. This security protocol was developed by MIT and features various clever cryptographic techniques that make it valuable for user authentication. For various reasons, however, Kerberos is used exclusively within corporate networks; it is not used to authenticate users on the public Internet. Users will login to their desktop or laptop computers and will be authenticated by an Active Directory (AD) server within the corporate network. When users access resources within the corporate network their AD credentials are re-used (what is termed, single sign-on) and they are not prompted for any new credentials. When those users try to access resources (for example, secure web pages) in the public internet, however, other security protocols are used (for example, basic authentication over SSL) and the users typically have to type in new credentials.

This concept of authentication inside and outside the firewall, I believe, may soon be a thing of the past and some educational customers demonstrate why.

Although many universities still employ firewall-based architecture others have resigned themselves to a porous network and treat all computers as, essentially, being on the public Internet. From the IP addressing perspective, their computers typically are within a protected network. Few large organizations have enough publicly assigned IPv4 address space that they can put all machines directly on the Internet; they use private networks, NAT (network address translation) and routers/firewalls to allow external access. From the practical perspective, however, some universities are assuming that their internal networks might be completely compromised.

Our product is of limited use to these schools. They still have private networks for things like accounting and student record keeping but these private networks are further isolated from their general university-wide networks. They might be in subnetworks within the general networks or they may be completely disconnected from any network that their students can access. They might choose to use our product within those private subnetworks but not to perform authentication throughout their general university-wide networks.

I think we will see similar moves in corporate networks. At some point, organizations will concede that it is impossible to protect their entire internal networks. Rather than putting up a wall around their entire organizations, some companies will choose to protect critical applications (payroll, human resources, etc.) but will assume that all users in their general corporate networks are potentially hostile. This will actually make it easier to implement wide area networks as there won’t be much need for VPNs. A user in the corporate network will not be considered to be any more trustworthy than a user in the public Internet. Users in remote offices might as well come in directly through the public network instead of setting up a virtual private network. Either way, some more secure mechanism will have to be used when a user tries to access a protected resource.

I’m still not sure what this mechanism will be. It might be some type of identity federation (based on Active Directory or not) but I’m concerned about slow adoption rates and the complexity of setting up federation between organizations. Perhaps Network Access Control and/or dual-factor authentication will play important roles, too.

One thing I am sure of is that, like funeral parlors and waste management, the security business will never go away.

13 Responses to “Tear Down This (Fire)wall!”

  1. wonderful issues altogether, you simply won a logo new reader.
    What could you suggest about your post that you made a few days in the past?
    Any positive?

  2. hey says:

    Taxi moto line
    128 Rue la Boétie
    75008 Paris
    +33 6 51 612 712  

    Taxi moto paris

    Hello, I check your blogs daily. Your humoristic style is awesome, keep it up!

  3. Uwielbiając informacje na tej stronie, wykonałeś świetną robotę przy artykułach.

  4. Najlepsze środki na impotencję. Chcesz powiększyć penisa to sprawdź ranking najlepszych suplementów i środków!

  5. Thank you for each of your hard work on this web page. My aunt really likes making time for investigations and it’s really obvious why. Most of us learn all of the lively method you offer precious suggestions through this web site and even increase participation from some other people on the matter so our favorite girl is now learning a lot of things. Take advantage of the rest of the year. You are always doing a really great job.

  6. propecia buy says:

    I’m just commenting to let you be aware of of the extraordinary discovery my cousin’s daughter enjoyed going through your blog. She discovered lots of issues, most notably how it is like to have a very effective giving heart to have many others effortlessly gain knowledge of certain extremely tough matters. You really did more than my desires. Many thanks for displaying the helpful, healthy, educational and also easy thoughts on the topic to Gloria.

  7. I am just writing to make you understand what a notable experience my wife’s girl had using your web site. She mastered so many pieces, which included what it is like to possess an excellent helping nature to let other people with ease learn some problematic things. You truly surpassed people’s expected results. Thank you for producing these precious, trusted, informative and in addition fun tips about this topic to Lizeth.

  8. cheap risnia says:

    I enjoy you because of all of your effort on this blog. Ellie enjoys doing internet research and it’s easy to see why. All of us hear all about the compelling manner you create functional ideas by means of the blog and as well cause contribution from other ones about this article and my child is being taught a great deal. Enjoy the remaining portion of the new year. You’re the one carrying out a fantastic job.

  9. link says:

    Good blog you’ve got here.. It’s difficult to find quality
    writing like yours these days. I really appreciate individuals like you!
    Take care!!

  10. Dorothy says:

    Hello, I do believe your blog may be having internet browser compatibility problems.
    When I take a look at your blog in Safari, it looks fine but when opening in Internet Explorer, it’s got
    some overlapping issues. I simply wanted to give you a quick
    heads up! Other than that, great blog!

  11. Klaus says:

    Simply desire to say your article is as astounding. The clearness to your publish
    is just excellent and that i could assume you are a professional on this
    subject. Fine along with your permission allow me to grab your RSS feed to stay up to
    date with imminent post. Thanks one million and please continue
    the rewarding work.

  12. link says:

    I used to be able to find good information from
    your articles.

Leave a Reply