The new perimeter
CSOs are mixing an assortment of technologies, approaches and policies to shore up defenses on the changing corporate boundary
By Elisabeth Horwitt
July 09, 2012 — CSO —
Back in 2008, guarding Motorola's perimeter was a lot simpler than it is today, recalls Paul Carugati, the company's information security architect. "It was OK to just open up [firewall] port 480 [to network traffic], because we knew that everything that ran over it was HTTP," he says.
But with the rapid growth of Web 2.0 applications, e-commerce environments and cloud services, he adds, "in 2010, that wasn't so true; in 2011, it wasn't true at all."
Management was continually questioning Carugati about the risk exposure related to a critical service or a social media environment, and the possibility of infiltration of the company's data through social media. Motorola's then-current firewall technology could trace users' IP addresses, but it could not track applications and so was unable to monitor which ones were exposed.
[Also read The 7 deadly sins of network security]
To address the issue, Motorola's security department added a next-generation firewall (NGFW) to its perimeter defense mix. In addition to traditional Level 3 and 4 firewall security, the platform can track outgoing and incoming traffic at the application level. This has brought huge gains in visibility, control and enforcement, Carugati reports. Now, it's clear "which apps are flowing through that egress environment, including apps we thought we weren't allowing outbound and ones we didn't know about," he says.
That visibility enables the security team to enforce far more granular security policies at the application level, rather than at the network protocol and port levels. Furthermore, management can now draw a far more accurate picture of the company's social network presence and interactions, for risk assessment and compliance with regulations such as PCI DSS, Carugati says.
NGFWs are just one way in which companies are revamping their defenses in response to new threat vectors that have grown out of businesses' growing use of and dependency on Web applications, social media, cloud computing, virtualization, wireless networks and mobile devices. These technologies continue to change the fundamental nature of business computing and communications.
As a result, the corporate boundary has become increasingly porous and difficult to define—some would even contend that it's nonexistent—rendering traditional notions of "protecting the perimeter" obsolete. Not that companies like Motorola have jettisoned traditional defenses, such as legacy firewalls, intrusion prevention and detection systems, antivirus and antispam programs, VPNs, and the like. Rather, they have started looking at perimeter defense in a more multileveled, multilayered way.
A Multilayered Perimeter Defense
Industry experts advise CSOs to take a defense-in-depth approach that deploys multiple layers of security, so that malware and other threats that slip by the first line of defense get caught by the second or third.
That means going well beyond traditional perimeter defenses—namely, network firewalls—which monitor and control traffic on the basis of source and destination IP addresses, network protocols and port numbers. That leaves them incapable of defending against the 60 percent to 70 percent of attacks that now occur at the application level, according to Jon Oltsik, senior principal analyst at Enterprise Strategies Group.
For example, a network firewall can accept HTTPS traffic and block HTTP traffic from the Internet to a Web server. Without app awareness, however, it cannot distinguish between customer and hacker HTTPS traffic, Oltsik says.
Smart CSOs are bolstering this first line of defense with technologies such as NGFWs and Web application firewalls (WAFs), which can perform deep-packet inspection and identify known hacker signatures and abnormal behavior.
NGFWs typically monitor inbound and outbound enterprise traffic, identifying malware that may be riding on top of a trusted link, as well as app-level end user activities that are inappropriate, risky or prohibited. WAFs specifically monitor traffic between Web clients and servers.
Polk, a leading provider of data and marketing services for the auto industry, has supplemented its traditional firewall with F5 Networks' Big-IP Application Security Manager. The WAF protects Web servers from common app-level attacks such as SQL injection, says Ethan Steiger, the company's CSO. This has saved the company from the expense of redeveloping a number of Web apps with known code-related vulnerabilities.