Perimeter security used to be a relatively simple affair that involved deploying a firewall or two.
These days, however, talk centers around a future with no perimeter. Coined deperimeterization, this new world of computing without virtual walls will see ever more dispersed networks facing growing complexity and additional security issues.
Just as early adopters of intrusion prevention systems are beginning to feel comfortable with the fact that they turned on the blocking and the world failed to cave in, deperimeterization soothsayers are pondering what is next.
The big worry is how to keep the network safe when lots of people on the outside have a need for, and a right to, access. Those people can be a company's own mobile workforce or business partners coming in via a VPN, for instance. Such scenarios have led to the debate about the perimeter. What is it nowadays? Is it dissolving? Is the future a world of deperimeterization?
"When you look at your company and your network environment, you should really look at what your perimeter is... consider VPN machines to be your perimeter... application servers to be your perimeter," says Anton Chuvakin, a senior security analyst at netForensics. "It is still all about protecting the perimeter; you just have to go and find it before you can protect it."
There are some influential proponents of deperimeterization, but the idea is dismissed as a fad by others. Gartner analyst John Pescatore, for example, says the concept seems to raise its head every couple of years.
According to Rob Clyde, the CTO at Symantec, deperimeterization is based on the theory that companies no longer want to lock down their environments using traditional security products. Instead, they want to know all about the machine that is trying to access the network and whether it conforms to security policies that the IT department has put in place.
"The lynch pin in allowing this to work is providing a way that you can actually control who accesses your network based on the level of security. You can begin to set policy by not only knowing who they are, but what they are," says Clyde.
Securing the endpoint
Endpoint policy control software is still in its infancy, however, so some enterprises are taking a completely opposite view of the future, admits Clyde. For them, the perimeter is being locked down ever tighter, and more and more control is being exerted on end users.
And while more than half the companies Clyde talks to favor that second scenario, he sees it as a short-term fix and compares them to Neanderthals – which is not meant to be disparaging, he is quick to point out. The Neanderthals were a successful evolutionary branch and lasted a long time, and it is likely that lock-down proponents will last a few years before they too will die out.
"Clearly, the ability to manage by policy is very new; it is bleeding-edge technology. It is not fully implementable in most networks, so there is a lot of wisdom in perhaps taking the (lock-down) approach; certainly the safer approach," he says.
John Roese, CTO of Enterasys, has some problems with the deperimeterization theory of "don't protect anything but the end system," which is advocated by the influential U.K. user group, the Jericho Forum. "While I don't disagree with some of the premises in the Jericho Forum, in the sense that any system is in fact one perimeter... it is not the only perimeter," he says.
Beyond the endpoint
There is a need for protection where the end system joins the network and the sophistication of that service needs to be almost as functional as the end systems security models that exist in personal security firewalls, says Roese.
"We actually use the term 'secure networking massive distributed personal firewall,'" he explains.
Roese says he simply does not trust the end users, because they are human and make mistakes. Plus, he says, they are end users, not IT pros. And the latter group, given its knowledge and professional background, is directly responsible for what happens on the corporate network – endpoints and all.
Putting IT back in control is becoming a really important issue for organizations, says Dave Burton, director of product marketing at Check Point.
"We do see customers moving their attention from just the perimeter to internal security, and a main area of concern there is containing threats once they get inside the network. They also want to protect their web servers from the growing number of exploits that are being used to steal creditcard and personal information."
Last year's experience with Slammer brought home the message about how vulnerable networks were from mobile workers, says Martin Roesch, founder and CTO at Sourcefire. Slammer hit on a Friday and on Monday, when people plugged their laptops into the networks, the viruses "tore them apart," he says.
"People are now saying they want the laptop to be in a known configuration before they let them plug into the network, but that still doesn't solve the total problem. Just because your anti-virus software is up to date doesn't mean you are not malicious and you don't have something on there that the anti-virus software doesn't know about," he says.
Getting control of all user groups
Larger enterprises and government agencies understand the role the mobile worker is playing in the advent of the dissolving perimeter. What they are less aware of, says Brent Houlahan, CTO at NetSec, is the role played by customers and those accessing a company's websites and portals.
"You are letting everything through Port 80, if you will. You have got all these interactions taking place and it is very hard to block this port; block this protocol...those kinds of technologies don't help you anymore," he says.
NetSec is trying to get its customers to focus on "behavioral anomaly detection capabilities" as a way of addressing the dissolving perimeter. Legitimate traffic would arrive at the home page, possibly do a search or two and then go to the catalog.
"But if they are landing in your application at a place where people don't normally land, that is an application anomaly and that becomes important information to customers," he says.
Of course, a wide array of vendors offer solutions to tackle the changing or, as some say, the dissolving perimeter. Gartner's Pescatore sees a future in a firewall on steroids. Perimeter security will move beyond requiring different boxes to block different threats.
"The next generation firewall in 2006 won't just be a device that secures the perimeter; it will block network-level threats, application-level threats, and attachment-level threats," he says.
While much of the debate is centered on threats from the outside coming in, there is concern about problems going the other way. His thinking is that the perimeter is the place to stop important information – trade secrets, source code, as well as regulatory compliance facts and figures, for instance – from improperly leaving a company.
An example to support such a contention comes from Jim Nisbet, CEO of Tablus. A large pharmaceutical company was working with a third party that had also worked with its competitors. The company was quite concerned that only specific information go to this third party (connected via VPN) and clearly viewed it as a case of perimeter security, says Nisbet, whose company sells a network-level appliance that enables companies to monitor and protect sensitive data leaving the network.
"The first approach was to physically isolate the resources that could be accessed, but they struggled with the complexity of maintaining physically partitioned environments," he says.
It seems perimeter security challenges facing CSOs today are vast and varied. Not surprisingly, so are the number of solutions. Perhaps the best advice comes from netForensics' Chuvakin, who advises: "Defend in depth."