NETWORK SECURITY TACTICS
Bringing the network perimeter back from the 'dead'
Mike Chapple, CISA, CISSP
09.11.2007
Rating: -3.73- (out of 5)
|
With apologies to Samuel Clemens, the rumors of the perimeter's death have been greatly exaggerated.
I recently attended a conference organized by one of the major industry think tanks. Throughout the convention, several analysts pounded home the message, "The perimeter is dead. Abandon your border firewalls and spend your time hardening systems." This isn't an isolated opinion either. During the past year, a number of security professionals from consulting firms and client organizations have espoused the same viewpoint. Frankly, it's bad advice.
The proponents of this philosophy are correct in one respect: endpoint protection is one of security's greatest future challenges. The reason for the endpoint emphasis, however, isn't that the border is "dead," but rather that appropriate, mature network defenses have already been developed to control perimeter traffic. Most enterprises use a combination of firewalls, virtual private networks (VPNs) and intrusion detection/prevention (IDS/IPS) systems to limit access to internal networks. Generally speaking, there isn't much work to do in these areas; it's about maintaining these controls and adapting them as dynamic infrastructures change. The maturity of the technology offers the opportunity to focus limited financial and human resources on more challenging problems, such as endpoint/server management and application security.
Those who say that the perimeter is dead often point out that today's computing environments are becoming increasingly mobile. As users spend less time behind perimeters, some propose that it is less important to protect those private networks from outsiders. This argument simply doesn't hold water. First, if the right technology is in place, why wouldn't every opportunity be taken to make users safer when they're connected to their home networks? Second, VPNs are vigorously promoted, and they provide traveling users with a secure network presence. Finally, assets such as servers are often on home networks and will never actually travel. They usually contain significant information assets that call for the added protection of a hardened perimeter.
I'd also like to point out two important benefits offered by perimeter controls:
- Perimeter defenses are valuable filters. If it does nothing else, a strong perimeter conserves resources. It blocks the script kiddies and network vulnerability scanners from consuming valuable bandwidth and does so at the earliest possible point. A protected network border also limits the work of internal security controls and simplifies the analysis of their logs.
- Perimeters provide an added layer of defense. We've all come to embrace the "defense-in-depth" approach to security: a series of layered defenses designed to prevent the penetration of core assets. The use of border firewalls and other perimeter controls adds an additional layer of protection at a relatively low cost.
What's the moral of the story? Don't listen to the hype. Sure, it makes sense to focus security efforts on the endpoint. You'll get a lot of bang for your security buck and ensure that users remain safe while they're on the road. However, it just doesn't make sense to completely ignore strong perimeter defenses. It may sound compelling in theory, but the next time someone tells you that the perimeter is dead, ask them the same question I've posed to many such individuals: "Have you turned off your border firewall?"
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
ENDPOINT PROTECTION BEST PRACTICES
 Endpoint protection introduction
Endpoint security versus perimeter defenses
The importance of endpoint protection
Choosing endpoint security suites
Emerging endpoint security technologies
Juniper and F5 SSL VPN endpoint security
Endpoint protection costs
Top tactics for endpoint security
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
|
|
BROWSE BY TAG
Network Security Tactics,
Network Security: Tools, Products, Software,
Network Firewalls, Routers and Switches,
Enterprise Network Security,
SSL and TLS VPN Security,
Secure VPN Setup and Configuration,
Wireless Network Security: Setup and Tools,
Handheld and Mobile Device Security Best Practices,
Smartphone and PDA Viruses and Threats, VIEW ALL TAGS
|
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
