Home > Uncategorized > Security Perimeters Under Fire

Security Perimeters Under Fire

The concept of a security perimeter is well-established within the world of information security. A security perimeter is a logical network boundary that surrounds internal computing resources and devices that protects them. The advent of firewalls (as crude as the first ones were) in the early 1990s followed by the emergence of the concept of a demilitarized zone (DMZ) shortly afterwards paved the way for deploying security perimeters to protect networks against externally-initiated attacks. Cheswick and Bellovin’s now classic book, Firewalls and Internet Security: Repelling the Wily Hacker, served both as an impetus and guidebook for creating security perimeters.

At the same time, however, various obstacles have prevented organizations from creating “bulletproof” security perimeters. Dial-in access, something that frequently bypasses firewalls, thus creating “leakage” in security perimeters, came first. The list of other obstacles—peer-to-peer protocols, wireless networking, virtual private networks, proxy servers, and more—has since grown considerably. Accordingly, a security perimeter that has no leakage whatsoever is more of an ideal than anything else.

Critics have assailed security perimeters from the start, and rightly so. Too often organizations set up firewalls and DMZs and then relaxed, assuming that they had a very high level of network security that could not for all practical purposes be breached. A kind of “fortress mentality” prevailed among many of those who had set up security perimeters. A combination of penetration testing results and security breaches in which firewalls were compromised or bypassed has provided startling wake-up calls to many individuals who were naïve about security perimeters, however.

Another, more vigorous level of assault against security perimeters surfaced about six or seven years ago. A group of individuals formed the Jericho Forum, an organization that propounds boundaryless (deperimeterized) environments. This view is in response to the fact that the nature of network connections has become so diverse and complex that it is virtually impossible to enforce a security perimeter; other means of securing connections and internal systems and devices are therefore necessary. I fear, however, that the Jericho Forum has thrown the proverbial baby out with the bath water. They are correct in pointing out that not all networks, especially ones in which customer and B2B transactions dominate the activity within, are conducive to security perimeters. At the same time, however, they have failed to point out environments and situations that would be well served by security perimeters.

Are security perimeters still viable, or are they an outmoded concept? Despite various limitations inherent in security perimeters, security perimeters are still a potentially useful concept in that they can serve as one of several layers of network defenses. Having one or more external firewalls can, for example, substantially reduce the amount of traffic due to externally initiated attacks, especially “kiddie script”-based attacks and vulnerability scans. Keeping “garbage” traffic out makes sense. The key point is that one should never rely on any security perimeter or any other single type of security control, no matter what it is. Other security controls are necessary so that if a security perimeter is breached, other controls that counter the attack will still be in place. 

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.