Perimeter Defenses | Inside the Security Mind: Making the Tough Decisions

The primary focus of defense throughout history has been guarding the perimeter. Regulating the flow of access between the outside and inside borders of the home territory has always been an essential component in ensuring one's survival. Today, if an organization has any security at all, it will likely be focused on the perimeter.

Expanding the Perimeter Concept

It must be understood that when I talk about the "perimeter," this does not simply mean "the Internet." Of course, the Internet is an area that we need to be concerned with, but most organizations place far too much attention on the Internet and not enough on the rest of the perimeter. Remember the Rule of the Weakest Link? In most organizations, the Internet has the 20-foot moat and reinforced steel door while the other access points are guarded by poodles and paper blinds. The Rule of the Weakest Link is most often neglected at the perimeter.

In reality, a perimeter point is any location where an external or non-trusted party has some form of access into the internal protected networks. Defining a perimeter means defining exactly how far into the network we will allow the general public, our partners, our clients, and other external entities to wander before they must pass the drawbridge and archers. With the castle, we simple have one or two obvious entry points; but with our modern security infrastructure, we must focus on many more dimensions. Common network perimeter points include:

Internet connections, including dial-up
Active modems for inbound or outbound communications
Partner, vendor, and customer network connections
Wireless access points
Other virtual access points such as VPNs and email exchanges

graphics/11fig01a_icon.gif

It is important when working with perimeter defenses to have a clear sense of "us" and "them." One of our first perimeter analysis tasks will be to draw out exactly where the perimeter exists and where security controls need to be put into place. Following the Rule of Trust, there can be no wavering or fogginess on this issue. You are trusted, or you are not; you are inside, or you are out; end of story.

Why the Perimeter First?

It is commonly understood that an Internet connection and dial-in access should be guarded by a firewall. The general misconception, however, has been that perimeter defenses are the most important, which is not always the case. While it is generally a good practice to focus first on perimeter defenses, it should be understood that the perimeter defenses are not some magical portal that will keep our castle safe. Far too many organizations have been devastated by attacks that never even touched a perimeter access point. We do not focus on the perimeter because it is the most important, but rather because the perimeter is the most tangible, easy to focus on, and least costly to secure.

Perimeter security is where we get the most "bang for our buck." External connections can be funneled through chokepoints, allowing us to have a strong effect on security with a limited set of tools. When dealing with the perimeter, we can lay down a fairly simple structure and justify the costs to nearly any executive. The good guys are inside, the bad guys are outside, so we need to build a drawbridge with a lock. This we can explain, this people can understand, and this we can get funding for. Unfortunately, dealing with internal defenses it not as simple and introduces more complexities. Therefore, we focus first on perimeter defenses.

Defining the Perimeter

Ever sing the song that goes, "This land is your land… this land is my land"? It amazes me how many people are still humming that tune when they are building network perimeters. Oftentimes, there seems to be numerous political desires to share the local network and resources with external parties. The classic line is "In the spirit of cooperation" or "If we can't trust them… ." I have seen many organizations build great perimeter defenses and then proceed to attach vendors and partners via uncontrolled links.

When it comes to the perimeter, its important to create some hard and fast rules. We have already discussed the issue of trust, and trusting another organization with a link into an internal network has a good chance of ending up in disaster. When we look at the perimeter, there needs to be a clear-cut line of what is within each zone. We need to define, in black and white, where and how traffic in and out of the perimeter will be secured:

Define which assets are yours and which are not It is important to know where the jurisdiction of the organization ends, whether it is at the router, across the WAN link, or on the server itself.
Define the logical points where borders meet Be sure to include all equipment near the middle, and make sure everything has its designated side.
Determine who and what are on the outside and on the inside In addition, find anything left in the middle, equally accessible by both.
Draw perimeter lines with this information and document your policies.

Perimeter Rules

After defining the perimeter, we need to consider what form of security will be placed between networks. Perimeter defenses, despite their simplicity, are very often the point of failure within a security model. The issues involved in separating internal and external networks seem so simple that we leave the design, implementation, and maintenance to a junior engineer who has read a few books on firewalls during his or her coffee breaks.

Even though perimeter security is arguably one of the easiest points for us to focus on, it is important to approach it with a good deal of thought and planning. Every rule and concept addressed in this book has some influence in how we design our perimeter. In particular, the following rules and concepts should be readily observed:

Rule of Least Privilege

Most modern firewalls begin with the Rule of Least Privilege. The standard ruleset for Firewall-1, Cisco's PIX, and other standard products is, "Unless I say it is allowed, deny it." This is a great way to start perimeter defenses; the trick is maintaining this rule as functionality is added. More often than not, the Rule of Least Privilege is the first rule broken when dealing with perimeter defenses. Lets look at why:

Simple interface, profound effects The simplicity of a firewall saying, "Port X is allowed and Port Y is not," provides many organizations with a false sense of security. Rules in most firewall products are very easy to implement, yet their impact can be quite profound. Since it takes minimal work to open a firewall port, allowing easier access to others, organizations often create far too many openings than are required or more than other parties can be responsible for. It is important that the process of changing firewall rules be taken very seriously, despite simplistic interfaces. Firewall changes should conform to the Rule of Change.
Simple interfaces can also be deceiving because they hide important components. Most security devices are extremely complicated on the inside, but their complexity is masked behind a simple GUI. It is thus important to fully understand security devices before implementing rules. Often, adding a single rule will make three or four changes to the firewall's policy, some of which may leave us unknowingly vulnerable. The moral of the story: Don't be fooled by easy interfaces such as Checkpoint's Firewall GUI. Firewall implementations and modifications should only be performed by people who have had the proper training.
Allowing everything out There is a tendency for organizations to deal with security as if it was an inbound traffic-only problem. It would be a great oversimplification to state that, "We don't want anyone on the outside to gain access to the internal network." Unfortunately, some major firewalls promote this idea.
If we look at the perimeter in terms of what is flowing in, and give little or no consideration to what is flowing out, we are far less secure than we think. A great many attacks occur by opening channels from the internal network and riding back on established connections. Many applications, including Trojan horses, back doors, and even legitimate applications, can create tunnels spawned from internal systems, thereby bypassing an inbound-only ruleset. When dealing with perimeter security, it is vital to review the concept of zoning and enforce the most restrictive zoning rules possible without harming the business. Always think in terms of the Rule of Least Privilege, even when vulnerabilities are not obvious.

Creating a Chokepoint

Creating and consolidating chokepoints are extremely important tasks when dealing with an organization's perimeter. Once the perimeter has been defined, it is best to consolidate as many areas as reasonably possible through one or two chokepoints. Some organizations choose to have many chokepoints guarded by numerous security devices. Keep in mind, however, that the more entry points, the less attention each will get and the more likely we are to find a vulnerability within one of them.

It is important to create a perimeter policy that strictly forbids anyone from making additional perimeter access points. Individuals and departments should be prevented from installing modems, enabling access services, or making any other external connection without going through a designated perimeter chokepoint. Searching for such illegal connections should be part of the regular security audit process.

Layering Defenses

Our castle, of course, will have a deep moat surrounding the keep. High walls will be constructed, blocking access to and visibility of our most vital areas. Archers will line the walls, along with numerous mechanisms to defend against invading forces. And of course, our drawbridge will raise and lower in accordance with the Rule of Least Privilege. Similar to these defenses placed beyond our castle gate, it is best to place external and internal security beyond main firewall and IDS devices.

Layering the network Most organizations push external security all the way out to the perimeter routers (also called screening routers). These routers should be configured to block and log any obvious errors and attacks. Common things to block at a perimeter router include:
- Direct access to the firewall and the perimeter router itself
- Direct access to internal, non-translated addresses
- Requests from illegal addresses, or addresses known to belong to the local organization (spoofing)
When dealing with this layer of defense, the controls will not be nearly as granular. Consequently, maintenance on these rules should remain minimal. In addition, external routers should themselves be hardened by turning off nonessential services and protecting their access points.
Layering devices Defenses should also be placed inside the firewall. In the next section, I will discuss internal defenses that should be implemented. For now, there should be a special focus on any internal devices that are accessible from outside the perimeter. All accessible devices should, of course, be placed in some form of protective DMZ. In addition, such devices should be hardened and strictly monitored. The firewalls should have their operating systems secured.

Rule of Trust

The chain of trust in perimeter networking is probably the longest trusting chain in the world. If our organization links directly to any other organization, we have no control of who can assess us through them. If an employee of a partner dials into the Internet, that employee basically establishes an unprotected link between our internal computers and the Internet.

Trusting an organization and not placing any security devices between the local network and their network should be avoided, even if the other organization is small, well-known, and even if that organization extends full trust to our organization.

The Rule of Trust states that we should not only examine who we are trusting, but also the contexts in which trust is applicable. We may very well have a saintly company in the Midwest to which we allow special access into our systems, but we must also take into account that the company is traversing the Internet or using dial-up or other unsecure media to gain access to us. This is similar to leaving our door open in a bad neighborhood to allow our trusted friends to enter.

Rule of the Three-Fold Process

When dealing with our perimeter, we must be especially mindful of the Rule of the Three-Fold Process. Since the perimeter is attached to the outside world, security vulnerabilities can be quickly detected by external hackers. Letting security slide at the perimeter can be devastating.

Maintenance Perimeter defenses are prime examples of where maintenance must be practiced. The average firewall and IDSs, for example, can only go a short time before some form of update or modification is required. With hundreds of new exploits manifesting every day, we can be sure that hackers will be able to sneak past perimeter devices if they are not properly maintained.
Logging and monitoring Another extremely important practice for perimeter defenses is monitoring. Remember that security devices are extremely dumb and are unable to recognize attacks outside of preprogrammed patterns. Security is not extremely complex, but it is made up of an infinite combination of events that could constitute an attack. Many combinations that may be obvious to a watchful administrator may not be obvious to a firewall. A hacker can learn how a perimeter device works and create logical methods to sneak through it. A human, however, is not so easy to fool and has a much greater capacity to understand an attack than any countermeasure. Therefore, all devices at the perimeter should be generating logs of suspicious activities and such logs should be monitored regularly.

The Concept of Thinking in Zones

Though perimeter networks can be as simple as having one inside and one outside zone, most of the time, networks are somewhat more complex. Considering the concept of zoning, we must think carefully of how access is taking place between subjects and objects on each side of the perimeter. Communications that will be allowed to cross through the perimeter should be evaluated against the different levels of exposure as discussed in the section, Thinking in Zones, in Chapter 5, Developing a Higher Security Mind. Each type of communication that will be allowed to pass through perimeter security devices should facilitate the least amount of exposure as possible. DMZs and relayed services are common security measures found at the perimeter.

The Concept of Working in Stillness

Perimeter devices, especially those connected to the Internet, often have an incredible variety of traffic passed through them. By simply connecting our perimeter to another organization or the Internet, the firewall and IDS will begin finding a wide variety of unauthorized activities.

The average perimeter security device will start by generating hundreds or thousands of logs due to these foreign communications. This renders our valuable logs virtually useless since it becomes nearly impossible to see a real attack among the noise. It is thus very important that we put some effort into tuning the logging of perimeter devices to give us some clarity into the activities hitting these devices. The concept of working in stillness should be applied to all perimeter security devices.