The Deperimeter Problem

Yes, the castle-and-moat model has lots of shortcomings, but the concept of "deperimeterization" is a long, long way off

. What's this?

By

November 01, 2005CSO — The old network security modelperimeter defensewas a lot like the old physical security model: Put your assets in a secure location, build a wall and use a gate to control who goes in and out. Many today say the perimeter model is obsolete; some even say the perimeter should be removed altogether. While today it's critical to understand the shortcomings of the castle-and-moat model, CSOs should be a long way from tossing their firewalls altogether.

The perimeter defense approach worked pretty well for the walled cities of the ancient world, and it worked pretty well for computer networks in the 1990s. In many ways, the approach is fundamentally sound. It makes more sense to stop attackers with hardened outer defenses than to let them come inside and fight your most vulnerable citizens with hand-to-hand combat. No one would dream of arming an office clerk with an antitank gun; it's the job of the soldiers on the front lines to keep tanks away from the file clerks!

Of course, no perimeter defense is perfect. The Trojans learned this fact the hard way a little more than 3,000 years ago, when they brought that giant wooden horse filled with Greek soldiers inside their perimeter wall. Once the bad guys are inside the gate, the wall becomes irrelevant. Security consultants have been warning organizations for years about the danger of underestimating the insider threat. They argue that concentrating on perimeter defenses invariably tempts an organization into relaxing its internal defenses. For example, organizations are understandably hesitant to patch and upgrade the computers inside their networks when they are spending all that money on a firewall. But external threats have a way of sneaking past even the best perimeter defenseeither because an executive plugs an infected laptop into an internal network or because a rogue 802.11 access point lets outsiders come wirelessly through your walls and plug in.

Even if perimeters were perfect, the perimeter approach assumes that assets stay put inside the perimeter's protective ring. This assumption is no longer true in today's world of laptops, Web portals, memory sticks and BlackBerrys. High-quality information is constantly crossing every organization's physical and electronic perimeters. Relying solely on perimeter defenses is like buying a home alarm system to protect your children from kidnapping, then allowing them to ride alone to school on the New York City subway.

Perimeters today have gotten such a bad name that some consultants and journalists are heralding "the end of the perimeter." CSO, for example, wrote about this concept early last year (see "The World Is Your Perimeter" )

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER