The Failure of Perimeter Security
18 May 2006To have a "Perimeter Security" you need two things: a perimeter and a security.
Let's think about the "security" part of perimeter security first. The most common device to use there is a firewall. Firewall. The word much abused nowadays. Seven years ago I wrote a paper (sorry, Slovak language only) providing an overview and evaluation of network security mechanisms. I tried to make a clean distinction between "application-level gateways" and "packet filters" there, and especially the ability to see and understand network protocols. All of these different shades of gray are called "firewalls" now. The security industry evolved towards ease of use, not towards security. And nobody really seems to care much about the distinction anymore.
Back at InfoSeCon conference, Marcus Ranum had an excellent presentation about firewalls. He presented the reasons while today's firewalls do not work. I can agree with him completely. Current firewalls do not enforce protocol correctness. Yes, they understand some of the protocols (like FTP or HTTP), but that is primarily to allow them pass, not to restrict them. Yes, the firewalls can do URL filtering, antvirus and so on ... but those are "enumerating badness" approaches that does not really scale. Firewalls are designed to pass traffic, not to block traffic. That's not quite the right approach for a security device, is it? One way or another, there's no considerable security in a firewall any more.
Let's look at the "perimeter" part of perimeter security now. We are at the beginning of the age of mobility. It is a common thing to work at home, to read your mail anywhere, to browse Internet using a mobile phone. In a world like this, can you tell where your perimeter is? Does it only cover the network equipment you own? Does it includes all the portable computers that your employees use at home? Does it include yor CEO's notebook connected to some strange ISP in a hotel room somewhere near the end of the world? Does it include a WiFi network created by misconfigured PC of one of your employees? Does it includes mobile phones? And what about fridges, TV sets and toasters? ... Only one thing about the network perimeter seems to be certain: it does not copy the edge of your network.
Now we can see that we do not have security. We do not have perimeter either. Do we have perimeter security?
Disclaimer: I'm not trying to tell you to scrap your firewall as an unneeded piece of old junk. The firewalls are still needed to maintain a minimal level of protection at the very least. I'm just trying to tell you, that the protection that the perimeter security approach provides is just that: minimal.