The Jericho Forum

You may have read of The Jericho Forum in the latest SC Magazine. The Jericho Forum describes itself as "an international forum of IT customer and vendor organisations dedicated to the development of open standards to enable secure, boundaryless information flows across organisations." I read stories on them as early as March 2004, two months after they formed. The group appears to be built from representatives of European companies.

They are attracting attention for their "de-perimeterisation" and "open network" ideas, which their "Visioning White Paper" define as follows:

"de-perimeterisation: the act of applying organisational and technical design changes to enable collaboration and commerce beyond the constraints of existing perimeters, through cross-organisational processes, services, security standards and assurance"

"open network: a network freely accessible at low or no cost to arbitrary communicationg parties, such as but not limited to the public global Internet, with few or no inbuilt information security controls protecting the use of that network (although the network infrastructure itself will typically have some protection in order to support the provision of a service of useful quality)"

If you'd like to read more wordy explanations, I recommend diving in to the 39-page "Visioning White Paper." It offers some of the most painful English I've seen. I think it could have been reduced to 1/4 of its present size.

Sorting through the text, we see The Jericho Group intends to push de-perimeterisation as a means to achive open networks. They cite "increasing on-line collaboration and trading among multiple business entities," "outsourcing and offshoring of support services," and "use of low cost open networks" as reasons to pursue de-perimeterisation. They believe "existing security approaches are a barrier to change because they assume... an organizatrion owns, controls, and is accountable for the ITC [information and communications technology] it employs... and all individuals sit within organisations." I do not disagree with either point.

As for the group's focus, we read "Jericho Forum will therefore primarily focus on information flows that span organisations and individuals and how to secure and manage these across open networks. The focus will be on business to business (B2B) and business to government (B@G) flows, but not exclusively."

The Jericho Group cites the following as evidence of the need for de-perimeterisation. "For complex networks, protocols, and application access requirements involving customers, business partners or suppliers, firewall complexity and cost of operation will rise... Many communication protocols now run within the web (HTTP) protocol to allow 'tunneling'; indeed arbitrary tunnelling is possible rendering 'layered' communications architectures meaningless... De-perimeterisation involves re-appraising where security controls are positioned, re-balancing cost and complexity. This may involve moving security controls from firewalls or proxies to internal end systems or applications, or if the confidentiality or integrity of data is paramount, to move controls from the systems and data repositories that hold data at rest to the data itself (i.e. using cryptographic techniques."

Leaving clunky language aside, let's consider their argument. Although I do not see this mentioned in the group's paper, I would agree that individual hosts should be able to defend themselves. This has historically been a problem for operating systems not designed to survive the public Internet. I endorse making individual hosts and their applications more independent and reliable.

However, no organization that has spent hundreds of thousands of dollars on firewalls and other perimeter security devices is going to abandon them. Despite the starry-eyed cries of IPv6 developers who long for the days of unfettered end-to-end connectivity, most hosts on the Internet will continue to be separated by a wide variety of "middleboxes."

Anywhere that organizational access controls can be deployed, they should be deployed. When security rests entirely with the end host, the compromise of that end host means complete loss of control for the responsible enterprise. If a "de-perimeterised" company suffers a worm outbreak, and it has abandoned its perimeter access controls and segmented subnets, what will stop the worm from spreading? If that same organization is subjected to a denial of service attack, how will victim hosts on a "de-perimeterised" network defend themselves?

A principle of security that will not disappear is defense-in-depth. Hosts should be made to be self-reliant and survivable, and function within perimeters, however porous various technologies may seem to make them.

Other stories on the Jericho Forum can be found here, here, here, and here. Those needing a Biblical refresher to appreciate the significance of the name "Jericho" might find this link useful.