Why network firewalls and mainframes are still security favorites

Network firewalls and mainframes are old technology, but despite calls over the years to do away with one or the other, they remain in widespread use. As to why, just ask IT professionals who manage large networks.

"We have three times the amount of firewalls than seven or eight years ago," says Andrew McCullough, lead infrastructure security architect in the information security and compliance department at Motel 6.

Firewalls used to be assigned mainly to the perimeter of the network, but over time Motel 6 has been building up defenses internally to protect against attacks on Web applications and databases, plus conforming to Payment Card Industry rules to protect cardholder data. That has meant more firewalls that can handle higher bandwidth, and Motel 6 uses the Crossbeam X-Series platform, which can also support intrusion-prevention systems and antivirus filtering.

BACKGROUND: Changes to PCI rules: What you need to know

About eight years ago, advocacy group Jericho Forum gained considerable attention as IT professionals at enterprises and government who were associated with it raised strong criticisms about the network firewall as a barrier to e-commerce around the globe. Some advocated phasing out network firewalls altogether while pushing vendors to come up with alternatives, especially cloud-based security.

McCullough says network firewalls have at times been an impediment to e-commerce. Back in 2006, as online booking of hotel rooms had become a very important means to keep customers coming to the hotel chain, Motel 6 faced "significant issues" because even new firewalls the company had put in were interfering with the smooth flow of booking rooms through the central reservation system in the volumes that were seen online.

"There were very high session counts," says McCullough, declining to name the firewall in use back then. The problem wasn't so much a bandwidth issue as unexpected difficulties with "lots of small packets" associated with reservations and availability requests, plus updated rates, he says.

The situation was hitting a wall in terms of response times for users. Motel 6 management was growing increasingly concerned as it became clear that customers not only got a bad impression from the slow online reservation system, but got fed up and were moving to other hotels. That prompted the Motel 6 IT department to make a review and test of firewalls to replace even the news ones they had, coming up with the Crossbeam X-Series that have grown from supporting 8Gbps throughput to 10 times that and more at present, says McCullough.

"Firewalls have become more central to our infrastructure" than they were just eight years ago, he notes. In one Crossbeam chassis, it's now possible to run 6 independent firewalls, cordoning off internal networks. This configuration also helps cut down on "tap sprawl" related to network ports, reduce risk and not create additional latency, says McCullough. But he acknowledges the multi-application Crossbeam platform, which requires support from three members of the security team, does take time to learn and troubleshoot.

Security through the mainframe

Another older technology, the mainframe, which industry pundits in the 1990s said would be "dead" in five years, is not only still very much alive, but a foundation element in security at many places. Just ask Bridget Dancy, chief information officer at the Cook County Circuit Court in Illinois.

"We do all data entry into the mainframe," says Dancy, discussing how almost 2,000 employees in the circuit court system in Illinois rely on thin-client technology provided by HP that makes use of a Citrix farm to host XP-embedded applications related to the court's electronic filing system. This has resulted in a useful "lockdown" that not only prevents users from getting to the Internet, but also from opening harmful files that could be viruses, says Dancy. All data is entered into electronic records stored centrally in the IBM mainframe, and it can be accessed by authorized staffers at the various court locations.

This mainframe/thin client setup has meant the county court system has managed to avoid virus outbreaks known to hit other parts of Illinois government over the years, she adds. The mainframe/thin client arrangement has worked so well for the needs of the court system over the years, the same type of configuration has put in place as terminals for the public visitors for information and document review purposes only.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts