Perimeter defense in the era of the perimeterless networkDate: Aug 19, 2009
When it comes to perimeter defense, identifying the network edge is a challenge in itself. This video offers insight on defending the enterprise in a perimeterless world, including the issues of a perimeterless network and leading technologies for endpoint security.
About the speaker:
Joel Snyder is a senior partner with consulting firm Opus One in Tucson, Ariz.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Perimeter defense in the era of the perimeterless network
Presenter: Welcome to Search Security's Intrusion Defense
Lesson 5, Perimeter Defense in the Era of the Perimeterless Network
with guest instructor Joel Snyder. Joel is a senior partner with Opus
One, a consulting firm in Tucson, Arizona. Joel will forecast the future
of intrusion defense and offer tips for applying intrusion defense in a
perimeterless network. Thank you for joining us today, Joel.
Joel Snyder: Thank you very much. Good day everyone, and
is Lesson 5, which is sort of beyond perimeter intrusion defense.
So this is the fifth of a set of five, and the first four talked about
perimeter defense and what some of the issues are. They tried to
go into what UTM is. This talk is sort of going beyond that. How do
we go beyond basic intrusion defense when we're don't have a
perimeterful network anymore?
I have a couple things I want to talk about today. If we don't
perimeters anymore, how do we defend ourselves? What are leading
technologies for endpoint security? I'm going to talk about the issues
in future for this perimeterless network, and what we can do to
provide intrusion defense in a perimeterless network. I want to
point out that while you were out we went and dissolved your
perimeter. People talk about this concept of a dissolving perimeter,
but it's very, very true.
I just have a little picture showing you how it works if you
already thought about this little bit. I've got my firewall around the
network, but then look. Up in the left hand corner I've got a bunch
of people inviting us to UTM. People coming and buying UTM. I
might have branch offices with their own little firewalls, and I've got
partners that might be coming into our network, plus I'm punching
holes in my network for things like mail or for DNS of course. I've
got holes as well for things like web queries if I'm running a little web
farm inside my network. This perimeter of having a single spot where
everything goes through and everything is well-defended is actually
beginning to kind of dissolve. This is a big issue that people have
talked about, and we're talking about it today.
Perimeter-based security isn't going to work all the time if I
these holes in the network. So what can you do? Well, on the left-hand
side I have a whole lecture on the defense in depth strategy and I've got
a whole bunch of things that you can do to improve defense in depth. I'm
not going to talk about those today. You can actually go on to the Search
Security website and find some of my old information security decisions
lectures that talk about defense in depth. What I'm talking about is the
concept of re-perimeterizing your network in order to have perimeter-type
defenses in place. I don't mean that you're somehow patching up holes in
the firewall. I'm saying we're identifying places where we've punched a hole
or we've broken up the perimeter and we're going to add defenses, virtual
defenses, to create a new perimeter that we can then defend and apply these
The three things that I'm going to talk about briefly today are
admission control, what I'm going to call NAC, which is not to be confused with
Cisco's NAC which is the same words and the same acronym but this is the
generic term NAC. On in-points we're going to talk about using NAC. We
want to talk about using touchdown points like tunnel servers to re-establish
controls, and the recreation of little micro-perimeters where we can.
Let's first start with this whole concept of re-perimeterizing. I don't want
to say these holes need to be patched. All I'm saying is that where we've
opened up and dissolved our perimeter, we can create virtual perimeters.
For example on the left hand side I'm saying, "Look. I've got all these
people coming in via a VPN, either an SSL VPN or IPSec VPN."
Well, those VPN's have to touchdown in a device and that device
be your virtual perimeter. You just need to now look at that point and
say, "Okay. This was a hole, but now I'm going to apply perimeter
defense thinking to that device or to the hole that's created by that
device." Now some people will just run around and slap a firewall
behind the device. I don't think that's really the right way to do it. I
think you want to integrate the security with the device itself.
Look at these holes on the right-hand side where I've brought
or DNS or web. Each of those holes have very definable and definite
characteristics and they define a defendable border. We can actually
apply a lot of defense right to that specific border point that we've just
re-perimeterized instead of just saying, "Hey, I'm going to open this hole
and let everything that wants through." No, no, no. I can have very, very
defined defenses at those borders.
The first technology I want to talk about is network admission
Again, I want to make sure that you understand that I'm not talking
about Cisco NAC specifically. Cisco NAC, Network Admission Control,
is a particular implementation of network admission control. You also
find that Microsoft has a network admission control technology. They
call it NAP for Network Access Protection, I think. The computing group,
Kelsey Computing Group, has TNC, the Trusted Network Connect
framework, which is a kind of NAC. Juniper has their infranet strategy,
and that's a NAC. Of course we have all of these other companies that are
participating in these. Symantecs is a perfect example. They're playing
probably with Cisco, Microsoft, TCG and Juniper to be part of all of their
NAC strategy. There are lots and lots of partners.
Network admission control, or network access control, wraps
perimeter around the network. No matter what company you're
talking about, they're saying at this access point. Now, I'm showing
here this access point being the SSL VPN, but the access point to
the network can be a wireless point of access, not a WAP, but a
wireless point of access; a wire point of access, that's a jack in the
wall; it could be an SSL VOPN; it could be an IPSec VPN. Anywhere
where someone touches the network, this network admission control
can come into play.
The network admission controls essentially do things together.
of all, who are you? A huge compute of network admission control is
the authentication aspect. When you try to come into my network
whether you're jacking in or wirelessing in or SSL-ing in or IPSec-ing in,
you must provide authentication as part of NAC. And - a huge thing that
people are into - does your endpoint actually comply to policy, which is to
say does this endpoint security, is the security of the device you're trying
to connect up to the network, have the security policy implemented as
required by the organization?
For example if you say everyone has to be running Sophos and
updates have to be no more than 30 days old, do you comply with that?
Everyone has to have Black Ice firewall with the official corporate policy
no more than 30 days old. Does your device comply with that? Everyone
has to have Webroot antispyware. Does your device comply with that? So
NAC is who are you and do you comply to policy. Based on that, it either
lets you into the network or it doesn't let you into the network. It sends
you to a remediation place or whatever. That's the whole concept
of NAC.That's a new perimeter defense that's being applied not
just at that internet point of connection but at every single point
of entry into the network by an end system.
I'm going to bring up a caveat here when people start throwing
NAC stuff around, which is the endpoint security is not actually very
compelling when you face reality. I've got a graph here, and I don't
even know if you can see this graph, but I just want to say what's going
on. What I'm showing here is a bunch of different SSL VPN devices, and
a bunch of different scenarios that I use with endpoint security. Green
means that the device worked with the scenario and red means that it
didn't with endpoint security. The whole point of this graph is not to say
this brand is better or worse than that, but that there's a whole lot more
red than green. I have a quote here from the article: "If there's a train
wreck of a technology in this product niche, endpoint security is it."
So my point here is that endpoint security really only works
managed desktops and laptops. If you pass out the laptops to the
user or you control the desktop, if you are able to manage it and
control every aspect of it, then you're going to see a lot of green in
this graph. But if you have the idea that someone is going to connect
up to the network and they're going to suddenly get pushed down
some Java or Active X thing, that's going to make this decision about
whether or not they need to be re mediated or access controlled or
whatever not work. This is just basic testing. We tested these products,
we tested them with a simple security policy and most of these products
failed because it doesn't work really well in the unmanaged desktop
So endpoint security as part of NAC is great stuff in the
managed world, but do not let marketing PR people tell
you that it's going to work very well in the unmanaged
environment. That's not to say that the authentication piece
is not just great, just that the security part was not great.
So NAC is great stuff. I don't want to say anything bad about
NAC. It's a fantastic idea. We're going to authenticate and
authorize users at the point where they enter the network.
We're going to try and check their endpoint security. Just be
aware that you can't turn it on with a switch and it's going to
work for everyone including your partners and people who are
unmanaged and all these other folks who might be coming into
Now there's an alternative to that, which is to actually say
going to have access controls, but I'm going to make the VPN
device the UTM firewall in and of itself. I've got a little picture
here showing someone coming in through a typical SSL VPN
device. Of course, like any SSL VPN device or any IPSec VPN
device, I not only have identity-based access control - which is
I know who the user is, I'm controlling their access to the network
based on their authentication information and I've got fine-grained
security - but I might have additional other features.
What I'm seeing in the market place is that these SSL VPN
devices are becoming UTM-ized perimeter controls, which
means their having things thrown into them including stuff like
stateful firewall, intrusion prevention and anti-virus. The biggest
example, of course, is going to be something like the Fortinet box
or the checkpoint box where from the very beginning had intrusion
prevention and anti-virus. You're going to see things like the Symantec
box also letting you have this additional technology in place when someone
comes in by an SSL VPN or an IPSec VPN. We're applying additional
perimeter controls. It's not the Texas Hold 'Em theory of VPN which is
when you're in, you're all in. Instead it's you're in, but I am putting
additional controls on you which give me a little baby perimeter. I can
apply controls at that perimeter like stateful firewall controls and intrusion
prevention controls. I'm adding perimeter-like stuff to what people used to
call a hole in my network. It's not truly a hole. The devices and the
products are letting me add controls. What's great about these controls
is that they're based on identity and that is a fantastic way to have controls.
In addition to these VPN devices becoming parameterized, I had
about the holes in the firewall for services. Well, if we add holes in our
firewall, that just gives us an opportunity for another different kind of
firewall. For example I've drawn some pictures here. I'm not advocating
any of these companies. I'm just giving you examples of devices you might
have. I'm saying mail comes into the network. I'm not just going to let mail
drop directly into my exchange server. That would be stupid. Instead I'm
going to go out and buy an e-mail security appliance, and I'm going to
throw that in there and that is just a different kind of firewall.
I've not dissolved the perimeter, I've just changed where the
control goes from big, huge firewall to my big, huge firewall in my big,
huge e-mail security appliance. Or maybe not even a big, huge
security appliance. If I'm doing DNS, I'm not just going to throw DNS
against my normal Unix-based or Windows-based DNS servers.
Instead I'm going to go out and buy a DNS appliance and stick that
at the edge to give me a different kind of firewall. I'm doing web
access in, I could be doing something like Citrix web access controls –
I just picked them because the logo was kind of small and it fit really
well here. I'm not saying any one of these companies is perfect, just that
these are great little firewalls that you can put in front of services to
provide very specialized fire walling. You haven't dissolved the perimeter.
You've just changed the point of control to something which is really very
These are all incoming pictures, but incoming isn't the only
We also have outgoing. Again, I've thrown Blue Coat up here as an
example, but they're not the only people in this business. When people
are going out, we want to help protect them. We want to have
protection which is user-focused. That is a huge new trend in security
enterprise networks: focusing on the user. What can we do to protect
them as they're wandering the big bad crack house of an internet that
we've got out there today? What I'm saying here is that these users
might have some kind of device which is trying to protect them. An
outbound web proxy server is a real good example.
Again, Blue Coat is just one example. Lots of companies do
kind of thing. What we can look for is they're not getting spyware;
they're not touching websites that have spyware on them and then
downloading spyware; or we're trying to help them deal with viruses;
or we might be doing content filtering or regulatory compliance; all
these difference things focused on protecting that user. These are
holes in the firewall, but they are just an opportunity for a different kind
of firewall to re-establish this perimeter. You can call it defense in depth
if you want or whatever you want to call it. What I'm saying is just
because we punched holes doesn't mean that we are actually opening
up these holes in our firewall, we're just moving the locus of control to
another point. That gives us our re-perimeterizer, a little micro-perimeter,
a virtual perimeter here.
I have four trends here - I don't have tips, but I have trends
that I want you to write down, put on a little post-it, stick it on your
cubicle or however you house in your organization, things I want you
to just watch for this year and probably next year as well. First of all,
identity-based access control. Identity-based access control. Things like
[802-1 X], NAC, SSL VPN, IPSec VPN. This is saying we're not doing
access controls based on IP address, which is what most firewalls do,
but based on the identity of the user. That is going to be a huge, huge
direction where we really get very specialized in our access controls.
Possibly outbound as well as incoming but certainly incoming, where
we're going to make security an access control based on who you are
not just on your IP address.
Second huge trend is endpoint security posture assessment. We
that in Cisco NAC, PCG's TNC, Microsoft's NAP, all that kind of stuff.
That's going to be a big trend. I don't know whether that's right for you. It
depends on your user community. It depends on how managed they are.
It depends on what your real threats are. It's going to be a big trend.
Watch for it under a lot of different names.
These two trends, by the way, are actually joined. NAC itself
both an identity-based access control and endpoint security posture
assessment. Some folks when they talk about NAC all they seem to
care about is that endpoint security. Both things are built in together
and they should go together because that gives us the best level of
new perimeter and micro perimeter security.
The third big trend is watch devices that have defensive
built into them. So, when I looked at SSL VPN's a couple of months
ago there were two or three of them that had a little bit of security
features in addition to the basic SSL VPN functionality, things like
internal stateful firewall or internal intrusion prevention. Watch as all
these VPN devices begin to add greater features in the form of stateful
firewalls, intrusion prevention, even anti-virus, into them, which is going
to try to help add defensive perimeter-based intrusion defense technologies
into these perimeter hole-poking devices.
Then finally, a big, huge trend which I think a lot of people
going to go for because it makes a lot of sense is user-focused
security. Security which is not focused on the Internet, but on the
users in the organization and how we can protect them as they go
into dangerous places, which is to say anywhere outside of the
company boundary. Things like proxy gateways for outbound access,
you see a lot of motion in there partially because of Blue Coat's success
in the market place. That's going to attract other companies trying to help
meet that same requirement at different price points or slightly different
These four trends watch for. Is every single one of them right
No. I'm not going to say that. Absolutely not. Nevertheless, you're
going to see this happening, so keep this in mind as you start looking
at security strategies for this year and the next.
I want to thank you.
Presenter: Thank you, Joel. This concludes Lesson 5,
Intrusion Defense. Be sure to read Joel's article "The Future of
Intrusion Defense" and take our final exam. You can access these
and other resources on demand at searchsecurity.com/intrusiondefenseschool.
Thank you for joining us.