Finally, Start Thinking About Deperimeterization | Protect Your Windows Network: From Perimeter to Data

Finally, Start Thinking About "Deperimeterization"

Here's a new buzzword that's actually got some solid thinking behind it. ^[20] Whether we want to acknowledge it or not, the trend is undeniable: perimeters are evaporating. Review once again the list at the beginning of this chapter: there are so many ways into modern networks that a fortress model, although fun to talk about, is starting to lose its effectiveness. As the entire transport function of every network consolidates to two protocols (HTTP and SMTP), fortress-style protection becomes more and more difficult. And in many cases, even the smartest fortress elements are powerless: Blaster snuck past hugely fortified networks because no fortress-type security model can stop a mobile Typhoid Mary of a laptop from crippling an entire network. Although we'll continue to secure our perimeters because host and data security are only now starting to mature, eventually the perimeter just might completely evaporate.

^[20] Coined by Paul Simmonds at Black Hat 2004 in "Deperimeterization: This decade 's security challenge" (http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-simmonds.pdf). We won't rewrite his paper here but simply refer you to it for more supporting evidence.

Yes, it requires some fundamental changes in the way we think about security. Years ago it was fashionable to talk about "policy-based this and that." Thing is, the technology wasn't mature enough to handle such thinking; recall the death of directory-enabled networking. We don't discuss it in the book because we aren't fond of the technology, but many large organizations deploy intrusion detection as part of their perimeter defense. Why? Unless you want to dedicate full-time staff to monitoring the logs and avoiding false positives, ordinary intrusion detection systems create so much hassle that they often get ignoredor simply switched off. If instead we can define policies that describe exactly what is allowed, anomaliesthings out of the ordinarybecome very easy to spot, and possibly simply prohibited . There are differences between intrusion detection systems, anomaly detection systems, and intrusion prevention systems; ADS and IPS are certainly more challenging technologies, but ultimately are far more valuable than basic IDS.

Think about this: it's becoming increasingly difficult to control access and entry. Sure, in the physical world this is the principal goal. But in the electronic world, with so many various ways of accessing and entering a network, how can you control them all? If the ultimate goal is to protect information, doesn't it make sense to move the protection as close to the information as possible? Indeed, the process becomes more streamlined (but not necessarily easier) as you start to secure hosts and especially data, because that's where the information exists to best make the right security decisions.

To live in the deperimeterized world that's coming, you must adopt processes and deploy technology that help you accomplish four things:

Authenticate everywhere
Validate and authorize always
Audit all activity
Encrypt when necessary

It's time to end anonymity in business networks. Build infrastructures that require strong authentication to access any resource and require that every connection must successfully authenticate before it's allowed. Validate that access is from machines that you trust and that are running a standard configuration whose security you can know and control; also validate all data flowing between clients and servers to ensure that the data coming in is appropriate for the application. Consider technologies like rights management, where the information itself enforces its own access control and authorization regardless of where the information lives. Audit the activity of users to ensure that they're following policy; this can help you learn where to perhaps change policies if necessary. Encrypt whenever sensitive information must pass between two peers and there's a chance that someone else might eavesdrop on the conversation.

Perimeters were designed in the days when it was beyond anyone 's imagination that businesses would share data with customers or with each other. Perimeter security worked exceptionally well for the world of its day: because the base protocols weren't designed with security in mind, it was natural to build in the security at the network. But times have changed and the eggshells we've all been building aren't good enough anymore. Data lives everywhere; access comes from anywhere . Networks, and the way we secure them, must evolve to meet the needs of the information, its users, and their businesses.