Forget About the Perimeter

Several years ago our friend Steve Riley was running around the world delivering a presentation he called "Death of the DMZ." Steve was one of many insightful security professionals who were claiming that the perimeter was becoming increasingly meaningless as a defensive measure. The rationale behind this argument was based on a number of observations:

• Perimeters are typically configured to allow a lot of traffic to pass through, needed or not.

• A significant volume of traffic is being tunneled through other protocols at the application layer. This is the central tenet behind so-called "SSL VPNs," which encapsulate protocols ranging from Server Message Block (SMB) and RPC, to FTP and HTTP, in an HTTPS connection.

• The size of organizational networks is so large that even if every single computer is patched 99.9 percent of the time, the likelihood that a network contains at least one unpatched machine at any given time is over 63 percent in a network of just 1,000 computers. Statistically, it is virtually impossible to keep an entire network up-to-date on patches before you even consider the fact that some computers inside the organization are operated by people hostile to the organization.

• Computers transition between the external and the internal network constantly, bringing inside whatever they picked up on the outside.

• It is almost certain that in any network of interesting size, there exists at least one router to the outside that is unmanaged. It may simply be a misconfigured system on a VPN connection, or it could be much worse.

• The attacks today are attacking people, and sometimes the application layer. Firewalls and filtering routers do nothing to ward off attacks against people and they typically operate very low in the stack, at the network and transport layer. If a firewall understands application layer traffic, it is usually configured only to block traffic that is known to be bad, as opposed to allowing only that which is provably good.

All these factors contribute to the state we have today: where the perimeter is merely a marginally useful coarse filter. An organization that fails to realize that the perimeter does not truly protect it is not doing all it could, and should, to protect its information assets. Such a philosophy guarantees the success of a dedicated attack, and vastly increases the damage that will be caused by the next network worm. The standard of care today should include deeper protection inside the perimeter. It should include protection that blocks not just traffic from outside the network, but the vast majority of traffic patterns inside the network. Take our 5,000 computer network example: You could almost certainly take the 500,000,000 possible connections in that network and reduce them to 50,000 connections, a reduction of four orders of magnitude.

The old model that you have a perimeter that provides our primary protection is shortsighted and dangerous today. We should not rush to get rid of the perimeter. It is a useful defense-in-depth measure. However, we must provide additional restrictions inside the network. David LeBlanc, of Writing Secure Code fame, once said that "the vast majority of organizational networks today are semi-hostile at best." He was absolutely right. There are malicious hosts and malicious users inside every single network. Add to that the egg-shell design, based on the false conception that there is a concrete, as opposed to abstract, perimeter. Take all these factors into account and it is only a matter of time before the whole house of cards falls.