The other day I was staying in Roslin Castle, south of Edinburgh. Very nice location, above a bend of the river Esk, down the hill from Rosslyn Chapel. And in the old days, defensible: shoot your arrows from across the river or up the bank, we don’t care! Or try climbing the cliff and walls while we’re dropping rocks on you!

And then gunpowder came. Much of the castle is missing, due to Henry VIII of England’s troops in 1544. Nearby heights that were formerly only good for viewing the castle suddenly became ideal launching points for cannon balls, which, unlike arrows, could knock down castle walls. There are a few towers and part of the curtain wall left, as well as three quite dank dungeons, but most of the superstructure is gone. The livable part was built in 1622; very recent by Scottish standards.

What has this got to do with the Internet?

A second threat is a softening, if not disappearing, of the network perimeter. For a long time, we were able to get some semblance of securing the enterprise by establishing firewalls and [demilitarized zones] and maintaining the somewhat guarded perimeter. Now with BlackBerries, PDAs, wireless, executives traveling and using the Internet in hotel rooms, and people with VPN access from home systems, the perimeter is an illusion. But security policies and technologies have not kept up with that change. A big vulnerability in many environments is that you still have policies and people viewing the enterprise as protected with a firewall, and that’s simply not the case.

Security expert recommends ‘Net diversity By Carolyn Duffy Marsan, Network World, 05/30/06

This is from an interview with Eugene Spafford. Internet curtain walls, also known as firewalls and perimeters, are also obsolete. Not completely, of course; they can still keep idle tourists out, but they want stop a determined enemy.

There’s much more; the whole interview is well worth reading. Continue reading →