I recently attended a conference organized by one of the major industry think tanks. Throughout the convention, several analysts pounded home the message, "The perimeter is dead. Abandon your border firewalls and spend your time hardening systems." This isn't an isolated opinion either. During the past year, a number of security professionals from consulting firms and client organizations have espoused the same viewpoint. Frankly, it's bad advice.
Those who say that the perimeter is dead often point out that today's computing environments are becoming increasingly mobile. As users spend less time behind perimeters, some propose that it is less important to protect those private networks from outsiders. This argument simply doesn't hold water. First, if the right technology is in place, why wouldn't every opportunity be taken to make users safer when they're connected to their home networks? Second, VPNs are vigorously promoted, and they provide traveling users with a secure network presence. Finally, assets such as servers are often on home networks and will never actually travel. They usually contain significant information assets that call for the added protection of a hardened perimeter.
I'd also like to point out two important benefits offered by perimeter controls:
- Perimeter defenses are valuable filters. If it does nothing else, a strong perimeter conserves resources. It blocks the script kiddies and network vulnerability scanners from consuming valuable bandwidth and does so at the earliest possible point. A protected network border also limits the work of internal security controls and simplifies the analysis of their logs.
- Perimeters provide an added layer of defense. We've all come to embrace the "defense-in-depth" approach to security: a series of layered defenses designed to prevent the penetration of core assets. The use of border firewalls and other perimeter controls adds an additional layer of protection at a relatively low cost.
What's the moral of the story? Don't listen to the hype. Sure, it makes sense to focus security efforts on the endpoint. You'll get a lot of bang for your security buck and ensure that users remain safe while they're on the road. However, it just doesn't make sense to completely ignore strong perimeter defenses. It may sound compelling in theory, but the next time someone tells you that the perimeter is dead, ask them the same question I've posed to many such individuals: "Have you turned off your border firewall?"
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
This was first published in September 2007