Security in a world without borders
Face it, you've already been de-perimeterized. The question now is, what are you going to do about it?
As organizations have opened their networks to business partners, customers and suppliers, they find that perimeter safeguards such as firewalls are opening as well. Then there's the increasing mobility of so-called internal users, who connect to corporate resources via external wired and wireless links. Organizations still have perimeter firewalls in place, but they're now shot so full of holes that they barely provide any protection at all.
"Our borders are ineffective today. We consider them more as sieves - they keep the lumps out, the script kiddies and denial-of-service attacks, but they're not protecting us against many of the threats we face today," says Paul Simmonds, co-founder of the Jericho Forum, a user group examining the ramifications of de-perimeterized networks (see related story). Recent threats such as the Sasser and Blaster worms, which just walked right by network perimeter protections and hit internal networks hard, provide proof, says Simmonds, who is director of global information security at ICI, a chemical conglomerate in London.
Other users agree that they are struggling to secure their networks now that their perimeter safeguards provide less protection. The most popular strategy in fighting de-perimeterization is what the security community calls "defense in depth." This is the process of shoring up perimeter defenses by layering on tighter and more numerous internal protections.
"We've realized here that it's no longer enough to focus on your perimeter firewalls or even have [intrusion-detection systems] outside your firewalls," says Adam Hanes, manager of information security at law firm Sonnenschein Nath & Rosenthal in Chicago. "You also need to pull that stuff in toward your assets. We have multiple application-level firewalls at different points, we have multiple IDSs and [intrusion-prevention systems] at different points, we have a vulnerability assessment package that we use on a regular basis, and we have a third-party audit package. We don't just look at the perimeter; we look at the whole network."
Jericho advocates another way: Don't fight de-perimeterization; embrace it.
Once we acknowledge that our perimeters are obsolete, we can spend less time and fewer dollars on them and instead focus on better internal security, Simmonds says. Forward-thinking organizations that embrace this idea will begin to move Web applications outside the perimeter and closer to the people who use them. The thought is that eventually perimeters will dissolve, saving money and making the business more effective.
"If you don't have a border and you don't need to operate within a DMZ, then you have a lot of business advantages," he says. "You can be quicker to market, you can do things faster, you can do things more effectively with less interference and less hardware. You don't need a security team to analyze it and get back to you in a couple of months. You can be up and running doing e-business theoretically in minutes. That's a huge advantage."
Four phases to de-perimeterization
Organizations will move through four phases in getting to the point where they can do business securely within a fully de-perimeterized environment, Jericho says.
Many organizations are in the first phase, which is "begin moving outside the perimeter." In Phase 1, the organization moves public-facing Web applications outside the corporate perimeter and closer to the people using them. This enables more seamless Internet-based communications with consumers, customers and business partners, while freeing the corporate IT staff from the pressures of securing that data via the perimeter.
In the second phase, "soften the perimeter," organizations drop the pretense of supporting a hardened perimeter and instead focus on providing encrypted transport and authenticated access to internal data. This will happen within most organizations within two years, the forum says.
In the third phase, the perimeter ceases to exist. Organizations within this phase will have moved on to data-level encryption and connection-level authentication, obviating the need for any perimeter at all. Look for these kinds of changes in most companies in the 2006-2007 timeframe.
Phase 4 is boundary-less communications. Jericho underscores that this phase is dependent on a future that employs yet-to-be-determined, global, data-level authentication standards. The group estimates most companies will be able to take advantage of this phase in 2008.
True de-perimeterization goes beyond defense in depth and lies in some form of global data encryption, authentication and identity management, Simmonds says. Such a security architecture would use rights management technology and security policy enforcement tools to make sure users gained access to only the networks, servers and data they were authorized to use.
This would allow seamless business-to-business connectivity without the need for firewalls and IDSs.
"You could get rid of all this deep packet inspection and so on, because the traffic would all be encrypted anyway. And with full identity management, only trusted communications would be allowed," he says.
The trick is to get the vendors to supply solutions that actually support such a scenario, including the ability to do cross-organizational authentication, policy enforcement and federated identity management. "In the end, vendors will need to enable us to have one identity within the organization and, eventually, one identity globally," Simmonds says.
Though such cross-company global authentication is beyond current capabilities, expanded use of federated identity and work by organizations such as the Liberty Alliance eventually will make it possible, he says. The Liberty Alliance is working to build standards for federated identity management and Web services.
All that sounds well and good in a perfect world, but most users today are skeptical of removing their perimeter security.
"I don't think you'll ever see the perimeter firewall simply go away," Hanes of Sonnenschein Nath & Rosenthal says. Concepts such as federated identity management are "the Holy Grail, and business just doesn't work that way. You aren't going to tell me that I can't do business with someone because they don't have the right ID. As much as we'd love to get there, it's not even in the near future," he adds.
Simmonds agrees that right now, most pieces required for his four-phase move to de-perimeterization don't exist. Data-level authentication and cross-organizational federated identity management are blue-sky concepts, he says. That's why Jericho is prodding the vendors to produce concrete, interoperable products and answers.
Until that day, users are forced to rely on point-based and interim solutions that attack pieces of the problem. For example, many organizations are looking at point products that shore up internal security while paving the way to more integrated ID and security policy management. They say they realize the perimeter is shrinking and are focusing on managing security down to the individual level.
For University of Texas Health Sciences Center, a good interim step in shoring up the internal network has been the coupling of Check Point/Zone Labs' Integrity policy enforcement software and personal firewalls on all desktops, says Kevin Granhold, director of server and desktop services for the Houston organization.
Integrity is software that sits on an end user's PC. When the PC logs on to the network, it first gets access only to the Integrity server, which checks to make sure the PC meets the organization's security policies and is up to date on its firewall and anti-virus protections. If it's not up to snuff, it doesn't get access to the network.
"The biggest thing is, it doesn't let my desktops communicate to one another within the same subnet," Granhold explains. "They only communicate to trusted systems so that if one desktop gets infected with a virus or worm, it won't affect all my desktops." This setup also helps protect the network from intruders, he says. The network won't talk to any system that's not trusted, and all trusted systems are under physical security - lock and key - in the server room. "It's all centrally managed, and it works very well," he says.
Others are looking for ways to simplify the move to enterprise-wide - and cross-company - identity management. Financial services firm Certegy in St. Petersburg, Fla., uses new identity-based technology from Trusted Network Technologies. Called Identity, this appliance integrates with the company's Microsoft Active Directory to bring authentication and rights management down to the TCP/IP packet level. Identity examines packets, validates digital signatures and applies security policies before connection. Packets without Identity data, or that fail policy, are discarded. Users are allowed to see only the systems and resources that they are authorized to use.
"The concept is great for ensuring that only authorized people can access corporate data," says Wayne Proctor, Certegy's corporate information security officer. "But it's new technology that is not quite there yet."
For one thing, it's appliance-based, which makes it difficult to scale and manage. Another hurdle is Internet proxy devices. "When the traffic goes through a proxy, the proxy regenerates the packet header to help you hide information about where it came from,"Proctor explains. "When it regenerates the packet header, though, it erases the identity. So they need to overcome that somehow in future releases."
Still others are exploring a much stronger interim measure consisting of new policy-based network switches that boast integrated security. Several switch vendors, including Cisco, Alcatel and Enterasys Networks, are touting their switch-based security schemes, including the ability to quarantine viruses, handle authentication and enforce policies.
Eaton Vance, a Boston financial services firm, decided to implement Enterasys' policy-based networking products when it upgraded its infrastructure six months ago.
"Policy-based networking was very important to us because as a financial services firm, with all of the new regulations out there like Sarbanes-Oxley, compliance is huge," says Vinny Cottone, vice president and director of infrastructure services at the company. "We truly needed the ability to understand what's happening on our network and who's accessing what, because, frankly, no one is trusted anymore."
Eaton Vance's new Matrix N3 and N7 enterprise switches employ what Enterasys calls Secure Networking. Using 802.1X standard authentication, the switches let Cottone define roles to various users and determine what traffic is allowed and not allowed from them. The switches also have an integrated IDS/IPS capability called Dynamic Intrusion Response that can then spot anomalies and react to mitigate malicious traffic.
"It's like an IDS, but it takes it one step further," Cottone says. "Once you identify a port that's behaving in a non-acceptable manner, you can do a variety of things, like automatically do some rate limiting or shut down the ports on certain things. It gives you a nice degree of control and granularity."
This eases the whole business of ID management and authentication within the company, while reducing vulnerabilities, Cottone says. Still, it's an internal-only solution. "How are we going to authenticate our external business partners? That's what we're wrestling with," he says.
He says he's watching organizations such as Jericho in the hopes that they come up with some industry-standard answers.