Chapter7.Protecting Your Perimeter

Chapter 7. Protecting Your Perimeter

Stop to think for just a moment. When's the last time you saw an honest-to-%DEITY%, ^[1] rigid, well-defined , and impenetrable network perimeter? Go on, we'll wait.

^[1] Replace this script variable with the supreme being of your choice.

It's been a while, hasn't it? For us, it's been so long we're beginning to wonder whether our foggy memories are nothing more than fading fantasies of whispers of shadows of network design purity Well, not really. Like security design, network design should always support the requirements of whatever businesses are running on the network. And when you consider all the various access needs of modern twenty-first-century business operations, you'll realize (perhaps reluctantly) that the traditional network designs we've all grown up with have morphed, stretched , and sometimes even twisted beyond their limits.

Reflect on all the various extensions of modern network " perimeters ." Indeed, the list is daunting:

• Distant branches (connected via "private" ^[2] WAN links)

  ^[2] Unless you're willing to shell out the astronomical sums required for the phone company to bury dedicated copper or plastic for your WAN, your links truly aren't private. SONET/SDH rings and ATM/Frame Relay clouds are literal seething throngs of data, often shared by organizations that are business competitors . Rarely, however, is there any other choice.

• Roaming users

• Telecommuters

• Wireless networks

• Business partners

• Customers

• Internet applications

• On-site consultants

Each of these has different needs and requires different levels of trust. How in the world can you build a perimeter now? Information assets are distributed across many business units, countless machines, and diverse geographies. The classical notion of a network perimetera limited set of computers located in the same physical buildingis no longer valid. It's been years since we've seen a truly isolated network: everything's got an Internet connection now. And among hosts connected to the Internet, mobile devices are well on their way of outnumbering regular computers. We predict this rapid proliferation of mobile devices will be the catalyst for a worldwide migration to IPv6. Asia has been investing in IPv6 for years, and near the end of 2004 the China Education and Research Network Information Center (CERNIC) announced the launch of CERNET2, an IPv6 network linking 25 universities in 20 cities across the country. It's the largest IPv6 network built so far, and propels China to the forefront of next -generation Internet development. ^[3]

^[3] Keep watch at http://www.chinaipv6council.com.

Protecting a network perimeter is more than just installing a firewall and configuring a few rules. We'll cover that in this chapter, yes, along with Internet applications and VPNs for telecommuters and other kinds of remote access. We defer the discussion of wireless security to Chapter 10, "Preventing Rogue Access Inside the Network." But first we want to take a moment to review a popular information security taxonomy, because it's interesting to consider where firewalls fit.