« May »
Locations of visitors to this page

Powered by blojsom

Radovan Semančík's Weblog

Thursday, 18 May 2006
« Single Directory Paradigm | Main | Insecure Workstations »

To have a "Perimeter Security" you need two things: a perimeter and a security.

Let's think about the "security" part of perimeter security first. The most common device to use there is a firewall. Firewall. The word much abused nowadays. Seven years ago I wrote a paper (sorry, Slovak language only) providing an overview and evaluation of network security mechanisms. I tried to make a clean distinction between "application-level gateways" and "packet filters" there, and especially the ability to see and understand network protocols. All of these different shades of gray are called "firewalls" now. The security industry evolved towards ease of use, not towards security. And nobody really seems to care much about the distinction anymore.

Back at InfoSeCon conference, Marcus Ranum had an excellent presentation about firewalls. He presented the reasons while today's firewalls do not work. I can agree with him completely. Current firewalls do not enforce protocol correctness. Yes, they understand some of the protocols (like FTP or HTTP), but that is primarily to allow them pass, not to restrict them. Yes, the firewalls can do URL filtering, antvirus and so on ... but those are "enumerating badness" approaches that does not really scale. Firewalls are designed to pass traffic, not to block traffic. That's not quite the right approach for a security device, is it? One way or another, there's no considerable security in a firewall any more.

Let's look at the "perimeter" part of perimeter security now. We are at the beginning of the age of mobility. It is a common thing to work at home, to read your mail anywhere, to browse Internet using a mobile phone. In a world like this, can you tell where your perimeter is? Does it only cover the network equipment you own? Does it includes all the portable computers that your employees use at home? Does it include yor CEO's notebook connected to some strange ISP in a hotel room somewhere near the end of the world? Does it include a WiFi network created by misconfigured PC of one of your employees? Does it includes mobile phones? And what about fridges, TV sets and toasters? ... Only one thing about the network perimeter seems to be certain: it does not copy the edge of your network.

Now we can see that we do not have security. We do not have perimeter either. Do we have perimeter security?

Disclaimer: I'm not trying to tell you to scrap your firewall as an unneeded piece of old junk. The firewalls are still needed to maintain a minimal level of protection at the very least. I'm just trying to tell you, that the protection that the perimeter security approach provides is just that: minimal.

Posted by semancik at 7:40 PM in security
Comment: Juraj Bednar at Thu, 1 Jan 12:00 AM

That part about perimeter not designed to restrict traffic reminded me of this piece at thedailywtf.com: http://thedailywtf.com/forums/thread/73098.aspx BTW: The reasoning of perimeter security supporters (like ISS) is, that they are able to provide perimeter protection even at mobile endpoints and homeworking devices. They try to put security enforcement software (Proventia Desktop) and require it to be installed (and pass security test which are enforced at domain level) in order to connect to VPN.

Comment: Dave Kearns at Thu, 1 Jan 12:00 AM

..in "Time to rethink the word firewall" (http://www.networkworld.com/newsletters/nt/2005/1114nt2.html) and "How about an intelligent firedoor?" (http://www.networkworld.com/newsletters/nt/2005/1121nt1.html). If only another 998 people or so would write about this, there might be some movement!

Add your comment:
(not displayed)
Generate another code

Please enter the code as seen in the image above to post your comment.
Your comments will be submitted for approval by blog owner to avoid comment spam. It will not appear immediately. Also please be sure to fill out all mandatory fields (marked by asterisk). This ... ehm ... imperfect software does not have any error indication for missing input fields.


[Trackback URL for this entry]