What Do I Do to Protect My Network Then?
No matter whose assessment you believe, you can no longer stand pat with traditional firewall and IDS defenses. Because traditional firewalls don't know anything about XML, it flows freely through all stacks in the network, says Salz. Now the perimeter has to get higher into the data level, the XML level, to filter traffic.
Callas puts it this way: you cannot presume that you're safe because you've closed a port at your firewall through which a worm attack would penetrate. Someone coming in on a VPN who has an infected client is in effect inside your network. He stresses that the environments in which telecommuters work are not was well guarded as those surrounding enterprise networks.
|We have to have a different type of protection around the crown jewels than we have in the open marketplace in the center of the castle.|
Wasson believes the multiple-perimeters stance updates the old moat-around-the-castle security model. "What we've done is dropped the draw bridge and said the castle is now open for business. And we have to have a different type of protection around the crown jewels over in this part of the organization than the kind we have in the open marketplace that's in the center of the castle walls."
The applications within your datacenter, as Wasson sees it, are the crown jewels of the organization. As such, they call for rock solid protection specifically designed for them, which may be more stringent than what you need for other parts of the enterprise, where your PC users are, for example. This model can be particularly effective in heterogeneous environments, where you can put different vendors' products in front of the assets they understand best rather than adopting a single vendor's solution for the entire enterprise.
Time to Take a Step Back
Laing states that a step back is necessary to analyze the entire network and its perimeter and begin to answer the critical question: 'what traffic are we allowing to what parts of the network?' More than just a network map, this analysis should take into account which protocols are being allowed through which parts of the network, which attacks can actually pass through those connections, which protections are in place, and how much business value is held by the machines that are vulnerable to attack. "Once I've applied that," he says, "then I can start to make trade-offs."
Laing summed up his point this way, "being able to pull in the configuration files and understand what the network looks like as a whole and how all the pieces are interacting is going to be key to the ever-increasing complexity of network security."
What's the Perimeter of the Future?
|As message-level security becomes widespread, firewalls become much less important in terms of security.|
Wasson predicts that within the next two years, the perimeter (or perimeters in his suggested architecture) will have a different look. The standalone network firewall that protects the wire by scanning incoming packets is going away. In its place will emerge a single security gateway device that, along with inspecting all incoming traffic, incorporates all the additional security functions that have needed to be layered on top of the firewall, such as antivirus, spam protection, and outbound content filtering/caching. Similarly, a gateway that integrates SSL encryption, SSL VPN, caching, and DoS protection will replace the standalone application firewall.
Salz sees the ubiquitous adoption of the WS-Security framework diminishing the overall importance of firewalls. He believes the need for perimeter security will always serve a purpose because the "bad guys and idiots aren't going away." However, as XML and message-level security become widespread and enterprises use them externally and internally to identify everyone and protect every message, Salz says "the firewalls become much less important in terms of security, and more important in terms of TCP routing, package filtering, and stuff like that."
Too Important to Ignore
For security administratorswho are drowning in a flood of IDS security alerts and new patch releases from their software vendors, all while reconfiguring their firewall rules to combat yet another new attackthe proposition of taking a step back to reconsider their security architectures might seem impossible. Meanwhile, the application developers who must work with these admins to ensure that what they're doing to lock up the network doesn't break any of the functionality or choke the performance their apps need, are working under the pressure of we-needed-that-launched-yesterday deadlines. Who's got the time for a big-picture reassessment? It may not be a matter of having time but making time, if you plan to keep pace with proliferating network threats.
The growing complexity of network data flow and the changing profile of the network user base simply mean perimeter security is not the silver bullet against attacks that it once was. It may not be dead just yet, but it isn't adequate protection anymore either. To protect your business assets, start looking at the traditional perimeter defensesfirewalls and IDSas commodity appliances and update your policies and architecture to block the proliferating network threats these appliances no longer can.