Problem solve Get help with specific problems with your technologies, process and projects.

Bringing the network perimeter back from the 'dead'

In the past year, a number of security professionals from consulting firms have expressed the importance of endpoint security, going so far as to say the perimeter is dead. Not so fast, offers network security expert Mike Chapple. In this spirited tip, Chapple explains why reliable, border-protecting technologies are still an essential part of a layered defense.

With apologies to Samuel Clemens, the rumors of the perimeter's death have been greatly exaggerated.

I recently attended a conference organized by one of the major industry think tanks. Throughout the convention, several analysts pounded home the message, "The perimeter is dead. Abandon your border firewalls and spend your time hardening systems." This isn't an isolated opinion either. During the past year, a number of security professionals from consulting firms and client organizations have espoused the same viewpoint. Frankly, it's bad advice.

For more information

Learn the key technologies in a network perimeter intrusion defense strategy.

Identifying the network edge is a challenge in itself. This webcast offers insight on protecting enterprise networks in a perimeterless world.

Stumped by network security? Send Mike your questions.
The proponents of this philosophy are correct in one respect: endpoint protection is one of security's greatest future challenges. The reason for the endpoint emphasis, however, isn't that the border is "dead," but rather that appropriate, mature network defenses have already been developed to control perimeter traffic. Most enterprises use a combination of firewalls, virtual private networks (VPNs) and intrusion detection/ prevention (IDS/IPS) systems to limit access to internal networks. Generally speaking, there isn't much work to do in these areas; it's about maintaining these controls and adapting them as dynamic infrastructures change. The maturity of the technology offers the opportunity to focus limited financial and human resources on more challenging problems, such as endpoint/server management and application security.

Those who say that the perimeter is dead often point out that today's computing environments are becoming increasingly mobile. As users spend less time behind perimeters, some propose that it is less important to protect those private networks from outsiders. This argument simply doesn't hold water. First, if the right technology is in place, why wouldn't every opportunity be taken to make users safer when they're connected to their home networks? Second, VPNs are vigorously promoted, and they provide traveling users with a secure network presence. Finally, assets such as servers are often on home networks and will never actually travel. They usually contain significant information assets that call for the added protection of a hardened perimeter.

I'd also like to point out two important benefits offered by perimeter controls:

  • Perimeter defenses are valuable filters. If it does nothing else, a strong perimeter conserves resources. It blocks the script kiddies and network vulnerability scanners from consuming valuable bandwidth and does so at the earliest possible point. A protected network border also limits the work of internal security controls and simplifies the analysis of their logs.
  • Perimeters provide an added layer of defense. We've all come to embrace the "defense-in-depth" approach to security: a series of layered defenses designed to prevent the penetration of core assets. The use of border firewalls and other perimeter controls adds an additional layer of protection at a relatively low cost.

What's the moral of the story? Don't listen to the hype. Sure, it makes sense to focus security efforts on the endpoint. You'll get a lot of bang for your security buck and ensure that users remain safe while they're on the road. However, it just doesn't make sense to completely ignore strong perimeter defenses. It may sound compelling in theory, but the next time someone tells you that the perimeter is dead, ask them the same question I've posed to many such individuals: "Have you turned off your border firewall?"

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

This was last published in September 2007

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.