Bringing the network perimeter back from the "dead"

I recently attended a conference organized by one of the major industry think tanks. Throughout the convention, several analysts pounded home the message, "The perimeter is dead. Abandon your border firewalls and spend your time hardening systems." This isn't an isolated opinion either. During the past year, a number of security professionals from consulting firms and client organizations have espoused the same viewpoint. Frankly, it's bad advice.

For more information Learn the key technologies in a network perimeter intrusion defense strategy. Identifying the network edge is a challenge in itself. This webcast offers insight on protecting enterprise networks in a perimeterless world. Stumped by network security? Send Mike your questions.

The proponents of this philosophy are correct in one respect: endpoint protection is one of security's greatest future challenges. The reason for the endpoint emphasis, however, isn't that the border is "dead," but rather that appropriate, mature network defenses have already been developed to control perimeter traffic. Most enterprises use a combination of firewalls, virtual private networks (VPNs) and intrusion detection/prevention (IDS/IPS) systems to limit access to internal networks. Generally speaking, there isn't much work to do in these areas; it's about maintaining these controls and adapting them as dynamic infrastructures change. The maturity of the technology offers the opportunity to focus limited financial and human resources on more challenging problems, such as endpoint/server management and application security.

Those who say that the perimeter is dead often point out that today's computing environments are becoming increasingly mobile. As users spend less time behind perimeters, some propose that it is less important to protect those private networks from outsiders. This argument simply doesn't hold water. First, if the right technology is in place, why wouldn't every opportunity be taken to make users safer when they're connected to their home networks? Second, VPNs are vigorously promoted, and they provide traveling users with a secure network presence. Finally, assets such as servers are often on home networks and will never actually travel. They usually contain significant information assets that call for the added protection of a hardened perimeter.

I'd also like to point out two important benefits offered by perimeter controls:

• Perimeter defenses are valuable filters. If it does nothing else, a strong perimeter conserves resources. It blocks the script kiddies and network vulnerability scanners from consuming valuable bandwidth and does so at the earliest possible point. A protected network border also limits the work of internal security controls and simplifies the analysis of their logs.
• Perimeters provide an added layer of defense. We've all come to embrace the "defense-in-depth" approach to security: a series of layered defenses designed to prevent the penetration of core assets. The use of border firewalls and other perimeter controls adds an additional layer of protection at a relatively low cost.

What's the moral of the story? Don't listen to the hype. Sure, it makes sense to focus security efforts on the endpoint. You'll get a lot of bang for your security buck and ensure that users remain safe while they're on the road. However, it just doesn't make sense to completely ignore strong perimeter defenses. It may sound compelling in theory, but the next time someone tells you that the perimeter is dead, ask them the same question I've posed to many such individuals: "Have you turned off your border firewall?"

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Webmail security: Best practices for data protection Network Firewalls Is it possible to allow select access to IP addresses using Windows Server 2003? Sophos finds patching issues through endpoint NAC tool Fortinet acquires database vulnerability scanner from IPLocks Is an IPsec VPN necessary when connecting remote servers that process financial transactions? Embedding security has drawbacks says TippingPoint chief architect Is security improved when the number of Internet gateways is reduced? Nipper audits routers, reveals insecure settings Product review: Netgear's Netgear FVS336G ProSafe Dual WAN Gigabit Firewall Product review: Tufin's Tufin SecureTrack 4.1 Product review: SonicWALL's SonicWALL NSA E5500 SSL Product review: Array Networks SPX2000 The Shortcut Guide to Extended Validation SSL Certificates How to test the security of personal details submitted to a website Should enterprises implement a mandatory iPhone VPN? Should iPhone email be sent without SSL encryption? How to secure an FTP connection Can Trojans and other malware exploit split-tunnel VPNs to infiltrate a network? What are the risks of connecting a Web service to an external system via SSL? What is the most secure way for application developers to manage cookies? Secure file copying with WinSCP RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) personal firewall  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.