The new perimeter

CSOs are mixing an assortment of technologies, approaches and policies to shore up defenses on the changing corporate boundary

1 2 Page 2
Page 2 of 2

Virtual Data Centers, Virtual Firewalls?

Virtualization of the data center has "thrown an interesting wrench into the perimeter security works," says Gartner's Maiwald. Different levels of trust can exist on the same physical server, and conversely, virtualized applications can run on different virtual machines that reside on physical servers in different security zones.

Virtual server vendors like VMware, as well as leading NGFW vendors, now offer "virtual security controls" that create a "virtual perimeter behind the physical perimeter," says Oltsik of Enterprise Strategy Group. Such products can be configured to control access across security zones in a virtualized environment.

However, Oltsik says his company's research shows that many security and IT staffs are still learning how to use such tools. Among the issues they face is how to segment the two types of networks to make sure physical and virtual security devices are working in sync. Another is how to enforce security policies when applications and virtual machines keep moving from server to server.

[Also read Bernard Golden's 3 key issues for secure virtualization]

Still, some enterprise CSOs are starting to make good use of such tools. McCullough's team recently moved critical applications into Accor's data center, where a virtualized firewall provides "the same protection as the perimeter, including the same level of app awareness and control and threat prevention," he says.

There are two main perimeter defense strategies for virtualized environments, each with trade-offs, according to Gartner's Maiwald. The first is to compress all zones into a single virtual environment. This provides the most resource allocation flexibility but eliminates cross-zone security, which is not ideal from a risk-management perspective.

The alternative is to make each zone its own virtual environment. This allows companies to keep existing firewall mechanisms and is the best choice for risk management, Maiwald says. The downside is that flexible resource allocation, which provides the bulk of virtualization's cost savings, is limited to servers within a given zone, he says.

At Polk, for example, "We try to treat our virtual hosts with the same level of control as our physical hosts," says Steiger. "This has meant moving intrusion prevention within the virtual network, so to speak," and limiting movement between some virtual hosts.

The company still gets direct value from its virtualization strategy, just not as much as would be possible without these safeguards.

Making and Managing the Rules

Keeping up with the ever-changing threat landscape is another major issue for companies working to protect the perimeter. While leading NGFW platforms come with tools for auditing and updating security rules and monitoring security events from a central console, most businesses currently have a mix of perimeter security products, not to mention network devices, which can make administering those policies a major headache.

Adding app awareness to the mix makes the task that much more complex and arduous, industry experts agree. "You want the ability to make granular access decisions on an app-by-app basis," says Oltsik. Furthermore, policies have to be regularly updated in order to keep up with major new social media services and apps, which show up on a daily basis. If your firewall sees these new entries as generic traffic, it cannot control them, Oltsik points out.

Companies are increasingly turning to third-party policy administration tools from vendors such as FireMon, RedSeal and Skybox Security. RedSeal's risk-assessment and policy-administration software scans for vulnerabilities and monitors the rules and configurations across Polk's collection of firewalls, network switches and routers, says Steiger. "It also helps us implement policies consistently across the network perimeter, according to best security and business practices."

[Learn more about firewall audit tools - features and functions]

"FireMon lets us track changes on various vendors' devices and monitor compliance from a unified system," says McCullough. This is especially key given that the security team at Accor's parent company has occasionally made changes to the division's perimeter security policies without notifying McCullough's staff first. On one occasion, this resulted in several hours of network downtime, he reports. "Now when a change happens, FireMon immediately alerts us and allows us to trace it back to the source."

FireMon also helped Accor tackle the huge task of rewriting its entire security rule base. "We found rules that were eight or 10 years old, whose owners weren't around anymore," McCullough says. Other rules were invoked only once every couple of months, but those times were important, he says.

1 2 Page 2
Page 2 of 2
NEW! Download the Winter 2018 issue of Security Smart