Firewalls 1996 to 2008

January is aptly named after the two-faced god of gates and doors. It's a good month for looking both forwards and backwards. For example, if you look back 12 years in network security you might notice FireWallCon '96, an event orchestrated by the National Computer Security Association (NCSA later became ISCA Labs, was bought by Cybertrust, and is now part of Verizon, so ncsa.com no longer exists; but here is the conference listing in Risks Digest).

It is fairly safe to say that this was the first full-scale, commercial conference dedicated to firewalls and Internet security. Heck, it even had t-shirts, darned good ones at that; after 12 years I'm still wearing mine, shown at left.

And it is amazing to think it was that long ago. These days a sizable percentage of the population has at least an inkling of what the term firewall means in a computer context (as opposed to a building code context). Blockbuster movies and popular TV dramas use the phrase "getting through the firewall" in the expectation that most of the audience will know what it means.

Yet 12 years ago it was not unusual for IT professionals from big companies to be asking "What is a firewall?" and "Do we need one?" The buzz about firewalls built very rapidly from 1995 through 1996 and sales were brisk. I met several people at FireWallCon '96 who had bought a firewall for their company but weren't yet sure where they should put it.

Some organizations took a long time to figure that one out. I recall my colleagues and I putting on a firewall seminar for a very secret government agency three years later, during which it became clear that many of their IT people thought a router with access control lists was the same thing as a firewall. This was somewhat worrying, and puzzling when you consider the fact that one of the best early documents on firewalls was written by two gifted federal employees, John Wack and Lisa Carnahan (NIST Special Publication 800-10: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, December 1994). We drew on that document to create the NCSA Firewall Policy Guide, which enjoyed extensive world-wide distribution (NIST SP800-10 does not seem to appear anywhere in its original form, partly because it was superseded by the more complete SP800-41).

We now have firewalls everywhere, even on our personal computers. They haven't made us as comfortably secure as we'd like, but when properly configured and managed they are considerably more difficult to get through than some movies would have you believe.