Perimeter walls come tumbling down

Stuart Compton, Vistorm

Photo of Stuart Compton Perimeter security: is it hard on the outside and soft in the middle? Stuart Compton, senior consultant at Vistorm, examines the evidence.

Perimeter security may have been adequate in the past, but it can lull companies into a false sense of security. Today we have a mobile workforce with mobile devices and external third parties that have to be considered when protecting our networks.

Perimeter security is a hardened boundary around your company network. It allows companies to restrict access to their network, protecting valuable data and resources. Typical perimeter security devices include: routers, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), virtual private network (VPN) devices and gateway anti-virus solutions.

With perimeter security it made sense to stop attackers at this hardened boundary and not let them traverse into the company network. When new vulnerabilities were discovered it was sometimes possible to stop the attack by adding a new rule at the firewall.

The risky alternative was to first wait for a patch to be released then patch every machine internally, potentially leaving the company vulnerable until this time. We can therefore say that this model consisted of a hard perimeter and a soft centre.

The main problem with perimeter security is that attacks on a company network are just as likely to come from within. Moreover these attacks from within can have better chances of succeeding than external attacks. For example due to unpatched systems, higher levels of access rights are available and the general openness of systems and the lack of physical barriers assist attack.

Perimeter security offers very little in stopping these internal attacks. The perimeter has become open, due to a mobile workforce, business partnerships, third party vendors and the need to offer services on the web. With home-working on the increase some of the assets that need protecting are not even inside this perimeter.

The good old onion

This is where defence-in-depth comes into play. Imagine the layers of an onion. A defence-in-depth model's level of protection works in a similar way. The idea is to add layers of protection so that even if an attacker peels away the outer security layers, there are many other security layers beneath. So the defence-in-depth model works on the basis that it reduces an attacker's chance of success by stopping an attacker or at least slowing them down.

So what is deperimeterization?

So where is the perimeter of the company network now? With the rapid growth in wireless and remote access it could be anywhere. For many companies the hardened perimeter security model is now dissolving, creating a boundaryless flow of information.

Not satisfied with the perimeter security and defence-in-depth model, the Jericho Forum, named after the biblical city whose walls came tumbling down leaving its inhabitants exposed to an outside threat, has come up with an idea that it calls 'deperimeterization'.

Deperimeterization is a concept describing the protection of company systems and data by making use of cryptography, secure protocols, secure systems and data-level authentication.

We have already discussed that concentrating too much on the perimeter defences can result in a company relaxing its internal defences, such as ensuring systems have up-todate security patches.

Even if perimeter security was perfect, the perimeter model assumes that assets stay inside this perimeter. This is made impossible with the increased use of mobile devices and a remote workforce in today's world. The Jericho Forum is dedicated to the development of open standards enabling secure and boundaryless information to flow throughout organizations. Members include high-profile companies such as Barclays, Boeing, HSBC and Rolls-Royce.

The Jericho Forum believe that a new approach is needed to move from the traditional network perimeter security down to the individual networked computers and devices that rely on defences that have been built into the hosts, applications and the data itself.

Not everyone is convinced that the 'walls can come tumbling down'. Instead they believe there will be internal segregation and additional controls while the walls remain. Perhaps the approach should be 'reperimeterization'.

However, deperimeterization is not simply removing your perimeter border security, removing your firewalls and then distributing your security devices inside your perimeter. Defence-in-depth and additional security controls are required but the threat posed by the internet is not likely to disappear in the near/midfuture, therefore firewalls should stay.

Technologies available

Some of the key technologies available that will help a company move towards deperimeterization include:

Identity management

This allows security to be applied at an individual or role level, while single sign-on eliminates the need for multiple and changing passwords. Companies such as RSA Security offer such solutions that ensure that users can enter the company network and get to the information relevant to them and nothing else.

Network quarantine

This secures mobile devices. If a laptop tries to connect to your network without the necessary security measures, the network is protected whilst users are given predefined assistance to enable them to comply with company security policies. McAfee and Check Point offer technologies that validate the compliance of a connecting device. Access is controlled and the network is defended using zone segmentation and quarantining.

Clientless security

This enhances endpoint security, particularly for external third party connections to your network. Instead of enforcing an organization's entire security policy, it validates your security clearances, thus confirming the legitimacy of third party requests to access your network.

Client device protection

Anti-virus, personal firewalls, offline web and mail filtering, patch management software, anti-malware and host IPS are all available and necessary.

The future of the perimeter

We have seen that the traditional model of a hard perimeter and soft centre is changing as the workforce moves outside the perimeter and business partners move inside this perimeter.

However the perimeter cannot go away and does not devalue over time. It is certainly a company's first line of defence against attacks such as DoS attacks. It must be adjusted accordingly to accommodate the business needs.

As companies become more interactive with their customers and partners, and with a growing use of mobile and wireless devices, protection must be extended to applications and end-user mobile devices, which must be able to defend themselves. More emphasis therefore needs to be on datalevel security and access control. By making use of smartcards and biometrics, mobile users and devices can be validated on the company network.

The Jericho Forum does not believe the firewall is a bad thing; it is just not the only place to implement security. They want to see new perimeters forming and extending into computer platforms, software applications and around the data itself.

The perimeter of any network is dynamic and users need protecting wherever they are accessing their company network. The rapid growth in remote and mobile users is redefining where the perimeter of a company's network really is.

One of the problems with deperimeterization will be the difficulty in ensuring the interoperability of the different security solutions from multiple vendors. However the Jericho Forum is highlighting the issues with a perimeter security model, creating public debate and exploring concepts in an open way involving key vendors.

Stuart Compton is senior consultant at Vistorm. Please visit www.vistorm.com