f complexity truly breeds insecurity, your perimeter security can’t be trusted to only the traditional defenses of firewalls and intrusion detection systems (IDS) anymore. Web services, network interconnectedness, wireless connectivity, and VPNs have made the perimeter a much more complicated concept than it used to be. To sort out where perimeter security stands today, how it’s likely to evolve in the future, and how you can keep pace with it, DevX spoke with four IT security professionals:
- Jon Callas, Chief Security Officer/Founder, PGP Corporation
- Brian Laing, Chief Technology Officer, Blade Software
- Richard Salz, Chief Security Architect, DataPower Technology
- Wes Wasson, Chief Strategy Officer, NetContinuum
The interviews revealed widely varied viewpoints and solutions, but a common theme also emerged: The way you think about and correspondingly protect your perimeter has to change along with the technologies that enable access to your networks.
Is Perimeter Security an Outdated Notion?
The present state of perimeter security apparently is a subject of debate. Everyone has his own assessment. “The perimeter is becoming so wide and so much access is being allowed through it,” says Brian Laing. “In essence, it’s rapidly disappearing.”
Richard Salz says, “The perimeter is not going away, it’s lowering.”
Jon Callas says the traditional network routing metaphor, where you put up defenses around the main router that connects you to the Internet, hasn’t so much gone away as “interconnectedness makes things harder.”
Wes Wasson has listened with a skeptical ear to many such declarations in the IT security market of late. “The guys saying that,” he states, “are the blind men around the elephant?they’re all seeing pieces but not the big picture.”
What does Laing mean by disappearing? He sees enterprises placing defenses at all layers of the network, not just their perimeters. IDS are now deployed both inside and outside the network, firewalls are placed between departments within the same enterprise, and switch VLANs also are being employed for security. As further evidence of what he terms “the diminishing perimeter,” he cites numerous vendors’ development of end-to-end encryption that would encrypt all data traffic inside a given network. These products rely on the premise that even inside the network perimeter, data isn’t safe.
According to Salz, the perimeter is lowering in the sense that it no longer protects the upper layers of the seven-layer protocol stack found in many networks. Data at the higher levels (Salz estimates layers 5 and up) is now flowing much more freely across the perimeter. The access afforded Web services and wireless devices, as well as the ubiquity of HTTP and XML across the network (via SSL and VPNs, for example), results in greater data interchange. Salz says the lower levels at the foundation of the perimeter are now even more important. “Harden the lower layers to make sure that the data flowing above is legit,” he advises.
Callas cites the demands for remote network access today. People want wireless networks. Workers, often equipped with laptops, mobile phones, and PDAs, need to connect from outside the enterprise via VPNs. When accommodating all these demands, the concept of inside vs. outside the network gets convoluted. “When you connect to the VPN, you’re no longer outside the network,” he explains. “You are now all of a sudden inside the network and so is everything that’s running on your computer. That means any malware that you may have on your PC.”
Not So Fast
“It’s not that perimeter security is dead,” says Wesson. It has merely changed. “The access points to your corporate assets have changed, the way you have to think about your perimeter has changed, and we now have to think in terms of multiple perimeters,” he explains.
Traditional network firewalls are necessary, argues Wesson, but they are very rudimentary. “Ninety percent of the attacks that target applications go right past the firewall with hardly any resistance at all,” he says. “IDS systems are the security cameras, but they don’t see any of these application-layer threats.”
The multiple perimeters Wesson proposes (the network LAN, application, and mobile perimeters) can each have different layers of defense within it. This enables enterprises to employ different methods of protection, varying in degrees of hardness, for the different parts of their networks. Today’s network LAN perimeter, for instance, is the line of defense in front of the LAN, network, PC users, etc. and that may be sufficient, Wesson points out. But the mission-critical applications found in the datacenter require a more hardened kind of perimeter, an application perimeter with its own set of criteria. The same is true for the mobile perimeter (laptops, cell phones, PDAs, anything that leaves the network or moves from network to network).
What Do I Do to Protect My Network Then?
No matter whose assessment you believe, you can no longer stand pat with traditional firewall and IDS defenses. Because traditional firewalls don’t know anything about XML, it flows freely through all stacks in the network, says Salz. Now the perimeter has to get higher into the data level, the XML level, to filter traffic.
Callas puts it this way: you cannot presume that you’re safe because you’ve closed a port at your firewall through which a worm attack would penetrate. Someone coming in on a VPN who has an infected client is in effect inside your network. He stresses that the environments in which telecommuters work are not was well guarded as those surrounding enterprise networks.
The applications within your datacenter, as Wasson sees it, are the crown jewels of the organization. As such, they call for rock solid protection specifically designed for them, which may be more stringent than what you need for other parts of the enterprise, where your PC users are, for example. This model can be particularly effective in heterogeneous environments, where you can put different vendors’ products in front of the assets they understand best rather than adopting a single vendor’s solution for the entire enterprise.
Time to Take a Step Back
Laing states that a step back is necessary to analyze the entire network and its perimeter and begin to answer the critical question: ‘what traffic are we allowing to what parts of the network?’ More than just a network map, this analysis should take into account which protocols are being allowed through which parts of the network, which attacks can actually pass through those connections, which protections are in place, and how much business value is held by the machines that are vulnerable to attack. “Once I’ve applied that,” he says, “then I can start to make trade-offs.”
Laing summed up his point this way, “being able to pull in the configuration files and understand what the network looks like as a whole and how all the pieces are interacting is going to be key to the ever-increasing complexity of network security.”
Wasson predicts that within the next two years, the perimeter (or perimeters in his suggested architecture) will have a different look. The standalone network firewall that protects the wire by scanning incoming packets is going away. In its place will emerge a single security gateway device that, along with inspecting all incoming traffic, incorporates all the additional security functions that have needed to be layered on top of the firewall, such as antivirus, spam protection, and outbound content filtering/caching. Similarly, a gateway that integrates SSL encryption, SSL VPN, caching, and DoS protection will replace the standalone application firewall.
Salz sees the ubiquitous adoption of the WS-Security framework diminishing the overall importance of firewalls. He believes the need for perimeter security will always serve a purpose because the “bad guys and idiots aren’t going away.” However, as XML and message-level security become widespread and enterprises use them externally and internally to identify everyone and protect every message, Salz says “the firewalls become much less important in terms of security, and more important in terms of TCP routing, package filtering, and stuff like that.”
Too Important to Ignore
For security administrators?who are drowning in a flood of IDS security alerts and new patch releases from their software vendors, all while reconfiguring their firewall rules to combat yet another new attack?the proposition of taking a step back to reconsider their security architectures might seem impossible. Meanwhile, the application developers who must work with these admins to ensure that what they’re doing to lock up the network doesn’t break any of the functionality or choke the performance their apps need, are working under the pressure of we-needed-that-launched-yesterday deadlines. Who’s got the time for a big-picture reassessment? It may not be a matter of having time but making time, if you plan to keep pace with proliferating network threats.
The growing complexity of network data flow and the changing profile of the network user base simply mean perimeter security is not the silver bullet against attacks that it once was. It may not be dead just yet, but it isn’t adequate protection anymore either. To protect your business assets, start looking at the traditional perimeter defenses?firewalls and IDS?as commodity appliances and update your policies and architecture to block the proliferating network threats these appliances no longer can.