A network perimeter defines where your internal network stops and where the connection to the internet starts. For traditional private networks, knowing this boundary was easy, as the gateway was often the router, not to mention that in the past, everything was all hardwired.
Nowadays, it’s not that easy, especially when dealing with cloud-based components and mobile devices used remotely. Where do you draw the line around what is and isn’t a part of your network? Networks aren’t always under the complete control of the administrator and this can get further hidden by a solution’s complexity. No matter your network and perimeter tools, you’re fundamentally dealing with a matter of trust.
In this article, you’ll learn what a network perimeter is and how you can use one to successfully protect your business against cyberattacks, as well as your own users. First, let’s take a look at what a network perimeter is.
What Is a Network Perimeter?
A network perimeter is the boundary of what you consider trusted and what you don’t. Fundamentally, you should consider anything inside your network as trusted, and anything outside your network as untrusted. This sounds simple enough, right?
Let’s take a moment now and consider where the internet starts for your company. On each site, it starts at the ‘demark’. This is where the wire from the telecommunications company joins the private network. Often, this is where the telecommunication wire enters the property.
One of the first pieces of hardware used is a router. Either your ISP supplies it or your company owns it. It’s also called customer premises equipment (CPE). This router directs traffic between the internet and the rest of your private network.
Now, let’s take a look at the network tools that can help you define your network perimeter.
Obviously, you’ll need to have some form of security between the previously mentioned router and your network. This is where firewalls come into play. You can use firewalls and add access control lists (ACLs) that contain inbound and outbound rules to control who has access to your network.
One question you might ask yourself is, “How can I deal with public access to my network?” Many companies use a DMZ, also known as a demilitarized zone. It’s a third zone where trusted and untrusted communication occurs. and is typically assumed as untrusted. Often, companies will divide up servers, making some public in a DMZ and some private and trusted. The firewall ACLs control what enters each zone as a gatekeeper.
You can add intrusion detection systems (IDS) to your network to provide you with a greater level of protection. They work similarly to firewalls but have some more features. For instance, you can use an IDS to alert administrators and quarantine potentially bad data packets. Unlike a firewall, an IDS not only scans a packet’s header and footer but also its body to try and locate any form of malware. Furthermore, you can use an IDS to monitor network traffic and notify you of abnormal network usage.
An example of this can be users trying to access silos outside normal operating hours. You can distribute IDS devices in front of siloed teams or divisions to restrict access from different team members. For instance, you may not want your design team to have access to your skunk works division for some reason. Finally, you can also set up an IDS to take automated action when it encounters suspicious traffic.
Most organizations will also choose to use a Wi-Fi DMZ specifically for providing guests with an internet connection. This is so that they can check their emails, for example, while not interacting with any part of the private network.
You may also choose to use nesting and subnets to secure data and users from potential threats. This is a useful practice, as it can make it difficult for cybercriminals to escalate permissions and map out your network in its entirety. Some companies also choose to secure zones based on a trade-off of security requirements and user needs. You may find companies with high security and high trust green zones such as central server rooms.
Next, you may have an orange zone that has similar policies to a DMZ, but it’s more designed for private usage. These provide entry-level personnel and security-cleared guests access to the internal network. These are useful for contractors or third-party companies that don’t need access to administrative solutions.
Finally, you can add a red zone that only gets used by the general public; no business will get conducted in this zone. You can expect low security here, but no trust gets provided. An example of this is the guest Wi-Fi in a business’s lobby.
Now you know what a network perimeter is and how it can get used to making sure cybercriminals can’t access sensitive information. Let’s now take a look at how cloud solutions and remote access interfere with these tidy network policies.
How Do Cloud Computing and Remote Access Influence the Network Perimeter?
Cloud computing allows you to log in to services and computers from outside your company. Sometimes you even log in from a computer not owned by your company. This is a major problem, as the system won’t know the IP of the machine trying to connect or whether it has any malware hosted on it. So what can you do about this? Here are 3 methods you can implement to solve this issue:
1. Add Multi-Factor Authentication (MFA)
To improve trust, you can try adding multi-factor authentication (MFA) to help ensure the person logging in is who they say they are. This, however, still doesn’t make you trust their machine. For example, what if the user is accessing your system from a client’s site with their hardware? How secure are their site and operations? Many cyberattacks have occurred where malware has gotten hosted initially elsewhere in a supply chain and propagated to other companies before the attack gets executed. Vendors are typically used as they’re often smaller businesses with poor security tools and policies.
2. Force Users to Only Use Their Company Computers
Another way is to force your users to only use their company computers to gain access. However, remember that even then, these computers could’ve gotten compromised. For instance, the users’ weak home network security and a man-in-the-middle (MIM) attack orchestrated against them could get used to compromise your network. The good news here is that you can treat a cloud solution similar to an onsite one. Simply assume all traffic is untrusted and use a DMZ. Use trusted zones where non-implicit trust policies get utilized.
3. Use a Firewall as a Service (FWaaS) Solution
Lastly, you can use a firewall as a service (FWaaS) solution to secure cloud computing without breaking the bank and ensure it’s hosted on the cloud domain used. You can use a FWaaS solution on any remote computer to secure a connection. This means that you don’t need thousands of firewall licenses for one user and multiple access points. Also consider using an application-level firewall, also known as a third or fourth-generation firewall to help secure connections between applications.
Now you know what infrastructure you need to consider when creating and maintaining your network perimeter. Let’s move on to looking at the benefits and risks associated with network perimeters.
Benefits and Risks of Network Perimeters
A network perimeter is the staple of a modern network. Gone are the days of a few academics transferring data between a handful of sites. These days, we need to secure a network from everyone. This includes employees with the best intentions that could easily distribute a company’s information across teams, or even across the Internet, in the blink of an eye. That is a risk you don’t want to take!
The benefits of having a network perimeter include a reduced risk of successful malware attacks used for either disruption, ransom, or fraud. You can protect your network effectively by using the right firewall and configuring the right ACL rules for your network.
Also, consider using an IDS at endpoints or in siloed structures to help complement your firewall. Arrange your network structure to create green, orange, and red trust zones and secure them with suitable trust policies. These practices will reduce risks throughout your network.
Network perimeters help define what is a trusted source entering your network and what isn’t. Trusted zones are great for productivity but poor for resisting cyberattacks.
Likewise, untrusted zones often provide limited services and functionality but are better used to stop attacks from spreading to the rest of the network.
You can use DMZs to act as a zone that assumes access shouldn’t get trusted to enable public use. Segregate teams and divisions and use IDS at endpoints to check for abnormal traffic which can then get flagged to administrators while data packets are automatically quarantined.
Do you have any more questions on network perimeters? Check out the FAQ and Resources sections below!
What is a network perimeter?
A network perimeter is the boundary between what’s trusted, such as a part of your network, and what isn’t, such as the Internet. Networks start where the telecommunication line enters the site. Network perimeters are an exterior firewall that defines who gains access based on access control lists (ACLs). You can also customize outbound and inbound rules to meet security requirements in your company.
What is a firewall as a service (FWaaS) solution?
A FWaaS solution is the provision of a firewall often used as part of cloud-based networks as a service. This means that companies get billed per user or when used, and not what devices it’s hosted on. This is far more effective for cloud-based solutions where users may use multiple platforms to access the network.
What is an IDS?
Intrusion detection systems (IDS) work similarly to firewalls, but they have additional features such as packet sniffing to assess threats buried in the body of data packets. You can use an IDS to quarantine data and alert administrators of abnormal network traffic. An IDS is often used as a gatekeeper to siloed divisions or teams on the network.
Why should I silo teams and data?
Segregate different teams that don’t interact with each other to avoid data leaks between teams or divisions. This improves the overall security of the network and keeps data and users safe from malware and cyberattacks. Some companies also use fake silos to deter cybercriminals from adequately mapping out the network and escalating permissions.
What are the challenges of using firewall ACLs?
Firewalls use access control lists (ACLs) with outbound and inbound rules to control network security. The main challenge associated with using ACLs is keeping these lists current and ensuring no outbound or inbound rules are missing. Use higher-level firewalls that abstract and automate ACL governance. This helps reduce human error from administrators and saves time during infrastructure changes.
TechGenix: Article on Firewall as a Service Solutions
Learn what a firewall as a service (FWaaS) solution is and how your business can benefit from having one.
TechGenix: Article on DMZ
Learn about the DMZ in more detail.
TechGenix: Article on IDS
Discover how to use intrusion detection systems (IDS).
TechGenix: Article on Network Perimeters
Learn more about hardening your network perimeter.
TechGenix: Article on Network Security
Get the latest tips and tricks on how to secure your network.