Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
26 December 2005  
Untitled Document
Sections

Best Defence
Technology Life
Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Exp. Healthcare Mgmt.
Express Textile
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 
Home - Best Defence - Article

Perimeter Security

Guarding the gates

Perimeter security ignores common knowledge: research has shown that most of the attacks on a network come from within. The solution lies in applying the concept of defence-in-depth, says Sumit Dhar.



Sumit Dhar

The concept of Perimeter Security is a lot like the Castle and Moat model of yore: put your critical assets in a secure location, build a strong wall around them, dig a moat around the wall (preferably filled with hungry crocodiles) and use a drawbridge to control who goes in and out. This model when applied to the area of computer security helped keep the good guys inside and the bad ones out.

Simply put, Perimeter Security is a fortified boundary around your corporate computing infrastructure. It allows you to lock down access to your network and automatically protect applications, data and resources. Perimeter Security might include border routers, firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Virtual Private Network (VPN) devices and gateway anti-virus systems.

Each of these components serves a different purpose. For instance, routers act as a junction between two networks and help direct traffic. A firewall acts as a packet filter and allows only those packets which match a particular rule. An IDS is a tool used in detecting unauthorised access to a computer system or network while an IPS exercises access control to protect computers from exploitation.

Perimeter Security has many advantages. It seems perfectly logical to stop attackers at the hardened boundary and not let them in. When new vulnerabilities are discovered, it is easier to stop the attack with a rule at the firewall than patch each and every machine inside the network. Such a toughened exterior, allows you to have greater flexibility and a softer core. For quite some time, therefore, the idea of security was to harden the perimeter.

While this approach worked well, it had its share of problems. Much to their dismay, the Trojans learnt this lesson the hard way. Once Odysseus and the Greek warriors were inside, the hardened walls of Troy became irrelevant.

Similarly, Perimeter Security ignores common knowledge: research has shown that most of the attacks on the network come from within. Perimeter Security is helpless in stopping such attacks. The perimeter became hazy and porous on account of a mobile workforce, Business Process Outsourcing, third party vendors and Web services. Not only that, with an increasing number of employees working from home, the assets that the company is trying to protect might not even be inside the perimeter. No wonder many CISOs feel like the French did when the Germans circumvented the Maginot line.

Defence-in-depth

This architecture centres on maintaining appropriate security measures and procedures at various layers.
Perimeter The outermost layer, it is the most susceptible to attacks from outside. Types include firewalls, VPN devices, gateway-level anti-virus systems, bastion hosts and proxy servers.
Network The second layer includes IDS, IPS, Vulnerability Management Systems, access control and user authentication.
Host This layer is responsible for safeguarding host OSs and workstations. It includes standard system configuration, change control and management, host-based IDS, anti-virus, firewalls and authentication.
Application This layer keeps the applications secure by employing an application development life cycle methodology, change control, authentication, access control, logging and audits.
Data This layer keeps application information secure and confidential by means of data classification, end-to-end encryption, logging, auditing and reporting of data access.

Introducing defence-in-depth

So the question we need to ask ourselves is what defence model comes next? The response that addresses the new security environment of corporate networks is often referred to as defence-in-depth. A defence-in-depth architecture treats security of the network like an onion. The idea is to add protection at multiple layers rather than relying only on a single Perimeter Security. Even if the attacker peels away the topmost security layer (the Perimeter Security), there are many others beneath it that can stop him or her.

Defence-in-depth is not a product, like a firewall or an IDS. Instead, it is a security architecture that calls for the network to be aware and self-protective. It reduces the attacker’s chance of success, increases the probability of detection, contains the size of exposure and protects confidentiality, integrity and availability of critical assets.

Defence-in-depth strategy requires focus on three primary elements: People, technology and operations. On the people front, it begins with senior management commitment based on a clear understanding of perceived threat. This must be followed with comprehensive information security policies and procedures, user training and awareness and a clear assignment of roles and responsibilities.

On the operations front, defence-in-depth focusses on all activities required to sustain an organisation’s security posture on a day-to-day basis. It could include maintaining visible and up-to-date security policy, obtaining security certification and accreditation, performing security assessments, monitoring and reacting to current threats and recovery in case of a breach.

On the technology front, this architecture centres on maintaining appropriate security measures and procedures at various layers.

  • Perimeter: The outermost layer of a company’s defensive area, the perimeter defences are the most important and are susceptible to the largest number of attacks from the outside. Perimeter Security includes firewalls, VPN devices, gateway-level anti-virus systems, bastion hosts and proxy servers.
  • Network: This can be considered the second layer of the defence-in-depth architecture. These solutions look at the internal communications path of the corporation’s infrastructure and help the company understand what communication is taking place on its network. This includes IDS, IPS, Vulnerability Management Systems, access control and user authentication.
  • Host: This layer of defence is responsible for keeping your host operating systems and workstations secure. It includes standard system configuration, change control and management, host-based IDS, host-based anti-virus, host-based firewalls and host-layer authentication/access control.
  • Application: This layer keeps applications on a host system secure. It includes an application development life cycle methodology, change control, application-level authentication and access control, logging and audit built into the application.
  • Data: This layer of defence focusses on keeping the information used by an application secure and confidential. It includes data classification, end-to-end encryption, logging, auditing and reporting of data access.

Defence-in-depth provides organisations with a holistic end-to-end security framework, layering several components to achieve multiple points of security enforcement. Using this approach reduces an attacker’s chance while increasing the probability of detection and containment.

Introducing de-perimeterisation

The perimeter became
hazy and porous on account of a mobile workforce, Business Process Outsourcing, third party vendors and Web services. Not only that, with an increasing number of employees working from home, the assets that the company is trying to protect might not even be inside the perimeter

Not satisfied with Perimeter Security and defence-in-depth, a user organisation, Jericho Forum, has come up with a radical idea that it calls de-perimeterisation. The Forum boasts of an impressive membership list—Barclays, Boeing, BP, HSBC, Procter and Gamble, Rolls Royce, Royal Mail and many more—and has been receiving a lot of press attention.

According to the Jericho Forum Web site: “A new approach is needed, to move from the traditional network perimeter down to the individual networked computers and devices and ultimately to the level of the data being sent over the networks. This process has been described as ‘re-perimeterisation’ followed by ultimate ‘de-perimeterisation’ and Boundaryless Information Flow.”

With the advent of outsourcing, managed services, enterprise mobility and business partner relationships, it believes, organisations no longer own the entire infrastructure and that the existing security models are obsolete. The group counsels a four-phase approach to de-perimeterisation:

  • Phase I: Make services available across the perimeter.
  • Phase II: Remove the perimeter altogether.
  • Phase III: Develop a standards-based approach to data access.
  • Phase IV: Control access to data, not the underlying infrastructure.

The fundamental problem with Jericho Forum’s vision is that it ignores completely the doctrine of defence-in-depth. Even if all your hosts can withstand attacks that come from an open Internet, it still makes sense to have an extra layer of defence that comes with a firewall around them. As mentioned before, for new vulnerabilities, it is easier to stop the attack with a rule at the firewall than patch each and every machine inside the network.

Secondly, de-perimeterisation requires universal trust infrastructure. In order to authenticate users, devices, and data from outside your organisation, you need a way to establish and verify how much you trust them. Proponents of PKI and Federated Identities have been facing an uphill task in achieving similar objectives and members of Jericho Forum are likely to run into similar problems. Further, without vendor involvement, the idea of de-perimeterisation will not be attainable. Uptake of this concept among technology vendors has been slow.

And the answer is...

Perimeter Security might have served as an adequate information security model in the 1990s. But in today’s world of telecommuting employees, mobile devices and external third party vendors, it is inadequate.

Those with a fiduciary responsibility for their company need to move away from the ‘we have a firewall and all is well’ mindset towards a holistic view of security as network security now goes way beyond the perimeter. It requires multiple defence mechanisms and multiple deployment sites. After all, no single security component can be guaranteed to withstand every attack it may need to face. Defence-in-depth helps you protect network resources even if one of the security layers is compromised.

Jericho Forum’s ideas of de-perimeterisation are not yet ready for prime time. Their conclusion that companies can implement de-perimeterisation changes in four years’ time is too optimistic. Till universal trust infrastructure is developed and vendors get actively involved, the idea of de-perimeterisation will be hard to implement. But for now, companies should aim for defence-in-depth.

Sumit Dhar is Senior Consultant, Ernst & Young. He can be reached at sumit.dhar@in.ey.com

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.