I read an interesting blog post by Chad Perrin at http://blogs.techrepublic.com.com/security/?p=455&tag=nl.e036
What I found interesting about it is that Chad was trying to correct the misconceptions or the attempt to promulgate misconceptions by software vendors, regarding the issue as to whether there is a “perimeter”. Chad’s argument is that there is “a perimeter, kinda”.
It’s fascinating to me to hear these things, since experts in network security have known for years that there is no such thing as “a perimeter”. The fact is that there are, and have always been, multiple perimeters on computer networks. The problem is that people who aren’t in on “the know” still believe in the education nee marketing promulgated by Cisco and other firewall vendors that there is one perimeter — the Internet Edge of the network. This is not true, nor has it ever been true.
Perimeters can be defined in multiple ways, but they always represent a demarcation between security zones. There are multiple ways you can define security zones. For example, you can define a security zone by the level of trust you have in a collection of computer resources, and then place those devices within the same security zone. Or, maybe you should consider your level of mistrust in a collection of computers, based on what the damage would be if one or more of the machines in that collection are compromised. Or you can define your security zones based on the level of trust you have for different levels of users, and define your perimeters based on users inside and outside your organization.
The key issue is that communications moving between your different security zones must cross a perimeter device that does the following:
- Controls who can cross the perimeter
- Control what can cross the perimeter
- Control what protocols can cross the perimeter
- Logs who has attempted access across the perimeter
- Logs what applications have attempted access across the perimeter
- Reports on who has accessed what content using what protocols and what time and what day across the perimeter
Only by recognizing that there are multiple perimeters that must be maintained and monitored will you be able to achieve real access control and the ability to perform accurate forensics in the event that there has been a data breach.
Note that this example includes only network perimeters. There are other perimeters that you need to control. The computer hardware perimeters of the CD/DVD drive and burner, the USB port and the FireWire port all represent hardware perimeters that you need to control.
The data itself also represents a perimeter. You need a way to determine who has accessed the data, who the data was sent to, and who copied or printed the data.
Data security is all about security zones and perimeters. That’s why I always get a laugh when I heard about “there is no more perimeter” — that’s right, there never was “a perimeter”, there have always been multiple perimeters.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP – Microsoft Firewalls (ISA)