With apologies to Samuel Clemens, the rumours of the perimeter's death have been greatly exaggerated.
I recently attended a conference organised by one of the major industry think tanks. Throughout the convention, several analysts pounded home the message, "The perimeter is dead. Abandon your border firewalls and spend your time hardening systems." This isn't an isolated opinion either. During the past year, a number of security professionals from consulting firms and client organisations have espoused the same viewpoint. Frankly, it's bad advice.
The proponents of this philosophy are correct in one respect: endpoint protection is one of security's greatest future challenges. The reason for the endpoint emphasis, however, isn't that the border is "dead," but rather that appropriate, mature network defences have already been developed to control perimeter traffic. Most enterprises use a combination of firewalls, virtual private networks (VPNs) and intrusion detection/prevention (IDS/IPS) systems to limit access to internal networks. Generally speaking, there isn't much work to do in these areas; it's about maintaining these controls and adapting them as dynamic infrastructures change. The maturity of the technology offers the opportunity to focus limited financial and human resources on more challenging problems, such as endpoint/server management and application security.
Those who say that the perimeter is dead often point out that today's computing environments are becoming increasingly mobile. As users spend less time behind perimeters, some propose that it is less important to protect those private networks from outsiders. This argument simply doesn't hold water. First, if the right technology is in place, why wouldn't every opportunity be taken to make users safer when they're connected to their home networks? Second, VPNs are vigorously promoted, and they provide travelling users with a secure network presence. Finally, assets such as servers are often on home networks and will never actually travel. They usually contain significant information assets that call for the added protection of a hardened perimeter.
I'd also like to point out two important benefits offered by perimeter controls:
- Perimeter defences are valuable filters. If it does nothing else, a strong perimeter conserves resources. It blocks the script kiddies and network vulnerability scanners from consuming valuable bandwidth and does so at the earliest possible point. A protected network border also limits the amount of work of internal security controls and simplifies the analysis of their logs.
- Perimeters provide an added layer of defence. We've all come to embrace the "defence-in-depth" approach to security: a series of layered defences designed to prevent the penetration of core assets. The use of border firewalls and other perimeter controls adds an additional layer of protection at a relatively low cost.
What's the moral of the story? Don't listen to the hype. Sure, it makes sense to focus security efforts on the endpoint. You'll get a lot of bang for your security buck and ensure that users remain safe while they're on the road. However, it just doesn't make sense to completely ignore strong perimeter defences. It may sound compelling in theory, but the next time someone tells you that the perimeter is dead, ask them the same question I've posed to many such individuals: "Have you turned off your border firewall?"