f complexity truly breeds insecurity, your perimeter security can't be trusted to only the traditional defenses of firewalls and intrusion detection systems (IDS) anymore. Web services, network interconnectedness, wireless connectivity, and VPNs have made the perimeter a much more complicated concept than it used to be. To sort out where perimeter security stands today, how it's likely to evolve in the future, and how you can keep pace with it, DevX spoke with four IT security professionals:
The interviews revealed widely varied viewpoints and solutions, but a common theme also emerged: The way you think about and correspondingly protect your perimeter has to change along with the technologies that enable access to your networks.
Is Perimeter Security an Outdated Notion?
The present state of perimeter security apparently is a subject of debate. Everyone has his own assessment. "The perimeter is becoming so wide and so much access is being allowed through it," says Brian Laing. "In essence, it's rapidly disappearing."
Richard Salz says, "The perimeter is not going away, it's lowering."
Jon Callas says the traditional network routing metaphor, where you put up defenses around the main router that connects you to the Internet, hasn't so much gone away as "interconnectedness makes things harder."
Wes Wasson has listened with a skeptical ear to many such declarations in the IT security market of late. "The guys saying that," he states, "are the blind men around the elephantthey're all seeing pieces but not the big picture."
What does Laing mean by disappearing? He sees enterprises placing defenses at all layers of the network, not just their perimeters. IDS are now deployed both inside and outside the network, firewalls are placed between departments within the same enterprise, and switch VLANs also are being employed for security. As further evidence of what he terms "the diminishing perimeter," he cites numerous vendors' development of end-to-end encryption that would encrypt all data traffic inside a given network. These products rely on the premise that even inside the network perimeter, data isn't safe.
According to Salz, the perimeter is lowering in the sense that it no longer protects the upper layers of the seven-layer protocol stack found in many networks. Data at the higher levels (Salz estimates layers 5 and up) is now flowing much more freely across the perimeter. The access afforded Web services and wireless devices, as well as the ubiquity of HTTP and XML across the network (via SSL and VPNs, for example), results in greater data interchange. Salz says the lower levels at the foundation of the perimeter are now even more important. "Harden the lower layers to make sure that the data flowing above is legit," he advises.
It's Becoming More Complex
| The present state of perimeter security is a subject of debate.|
Callas cites the demands for remote network access today. People want wireless networks. Workers, often equipped with laptops, mobile phones, and PDAs, need to connect from outside the enterprise via VPNs. When accommodating all these demands, the concept of inside vs. outside the network gets convoluted. "When you connect to the VPN, you're no longer outside the network," he explains. "You are now all of a sudden inside the network and so is everything that's running on your computer. That means any malware that you may have on your PC."
Not So Fast
"It's not that perimeter security is dead," says Wesson. It has merely changed. "The access points to your corporate assets have changed, the way you have to think about your perimeter has changed, and we now have to think in terms of multiple perimeters," he explains.
Traditional network firewalls are necessary, argues Wesson, but they are very rudimentary. "Ninety percent of the attacks that target applications go right past the firewall with hardly any resistance at all," he says. "IDS systems are the security cameras, but they don't see any of these application-layer threats."
The multiple perimeters Wesson proposes (the network LAN, application, and mobile perimeters) can each have different layers of defense within it. This enables enterprises to employ different methods of protection, varying in degrees of hardness, for the different parts of their networks. Today's network LAN perimeter, for instance, is the line of defense in front of the LAN, network, PC users, etc. and that may be sufficient, Wesson points out. But the mission-critical applications found in the datacenter require a more hardened kind of perimeter, an application perimeter with its own set of criteria. The same is true for the mobile perimeter (laptops, cell phones, PDAs, anything that leaves the network or moves from network to network).