Copyright: Ravi Kalakota & Andrew Whinston

Title: 		Are Internet Firewalls Re-Inventing MIS

Andrew Whinston         Ravi Kalakota
Professor               Research Associate

Center for Information Systems Management
      University of Texas at Austin
        Austin, Texas 78712-1175


As Internet connectivity becomes part and parcel of next generation PC 
operating systems such as OS/2 Warp and Windows 3.5, corporations are 
going to see an explosion in the number of Internet users.  However, the 
downside of this growth will be the exposure of some subset of valuable 
enterprise resources to millions of other Internet users, some of whom can 
be very destructive. Many companies such as AT&T, Du Pont and Martin 
Marietta, and more recently academic institutions such as Cornell 
University, are attempting to lessen the exposure risk by building Internet 
firewalls. 
  
What exactly is an Internet firewall? A firewall is any one of several ways of 
guarding one network from another network which cannot be trusted. Some 
firewalls place a greater emphasis on blocking traffic from the external 
world, while others emphasize permitting traffic from inside the 
organization.  The actual implemention whereby this is accomplished varies 
widely, but in principle, the firewall can be thought of as a pair of 
mechanisms: one which exists to block traffic, and the other which exists to 
permit traffic.  

Are firewalls the answer? Yes and No. Firewalls create potential 
management headaches which have not been encountered previously. For 
instance,  these methods of protection spans a continuum between ease of 
use and extreme paranoid security, what does an organization emphasize? It 
may be reducing risk by placing emphasis on security but risk alienating 
users by denying ease of access such as ability to traverse hypertext links 
with a mouseclick.   

Another problem not encountered by management earlier is electronic 
publishing. With the tremendous growth of electronic publishing on the 
Internet, many corporations are using their firewall systems as a place to 
store public information about corporate products and services, files to 
download, software bug-fixes, and so forth. In other words, a firewall acts 
as the corporate "ambassador" to the Internet. But, who manages this 
"ambassador"? Who polices the type or form of information that can be 
placed on the firewall? 

The most logical entity in the organization for handling this thankless task is 
the MIS department.  There are a number of basic design issues that MIS 
has to address in designing, specifying, and implementing or overseeing the 
installation of a firewall. The first and most important issue deals with the 
policy of the company: is the firewall in place to explicitly deny all services 
except those critical to the mission of connecting to the Internet, or is the 
firewall in place to provide a metered and audited method of "queuing" 
access in a non-threatening manner. The final decision is likely to be 
political rather than an technical decision.  The second is: what level of 
monitoring, redundancy, and control is required? Having established the 
acceptable risk level by resolving the first issue, a checklist of various 
applications to monitored, permitted, or denied can be then be generated. In 
other words, establish overall objectives, and then combine a needs analysis 
with a risk assessment, and sort the conflicting requirements out into a list 
that specifies the target architecture. 

All this may prompt users to exclaim, "Oh! God, we returning to the days 
of corporate data centers".