Perimeter Security: Evolved, Not Dead

"Perimeter security must be extended both externally and internally but, logically, it still exists", according to Scott Gordon
"Perimeter security must be extended both externally and internally but, logically, it still exists", according to Scott Gordon

While some may say perimeter security is dead, I am not among them. Few enterprises will throw out their perimeter firewalls and gateways to expose themselves to myriad threats, attacks and compliance issues.
Nevertheless, cloud applications, mobile device use and virtualization have blurred the conventional perimeter defense definition and forced us to rethink how we deliver anywhere, anytime, any means access without compromising security. As such, perimeter security must be extended both externally and internally but, logically, it still exists.

Certainly, the corporate enterprise of the past has changed. A small to medium-sized business get can up and running without traditional infrastructure, leveraging a variety of cloud-based services and end points. Mid-tier and larger organizations are outsourcing, considering BYOD, migrating applications to the cloud, and using an array of application and data delivery mechanisms – placing new challenges on traditional perimeter defenses.

Some would argue that the perimeter is now wherever a device and company data meet. But the question at hand is whether perimeter security is dead.

At some point, there is demarcation between a corporate network and what is external to it – a network being a connection enabling access to systems and data owned by an entity. Conventional security best practice suggests implementing a demilitarized zone (DMZ) to negate exposing internal network assets to external threats. Even Domain Name System (DNS), internet, file transfer and mail gateways need protection within the DMZ. Reverse proxies in the form of modern firewalls can be implemented so that those internal systems are not ‘naked’ and directly exposed to external attacks. External requests to systems in the DMZ are assessed and then allowed from the DMZ or a proxy to the intranet. Whether a company hosts some – or all – of an infrastructure, somewhere there exists an operating segregation between public and private networks.

Some industry pundits contest that the perimeter is so blurred and permeable that defenses there are a lost cause. Perimeter defenses, however, have also evolved with the advent of behavior-based intrusion protection systems, intelligent application firewalls and distributed denial-of-service (DDoS) protection systems. Let’s not forget that firewalls are also ‘next gen’ and offer more sophisticated application-layer security capabilities. 

Maturing one’s perimeter defenses need not be piecemeal. Procurement and management of these systems are easier with the advent of unified threat management. Again, at some point, someone is in charge of managing infrastructure to support external access, and you can be sure they are employing perimeter security.

The increase in botnets and zero-day attacks could be an indication that perimeter defenses are outmoded. I would suggest otherwise. A shipping company would have multiple controls and processes to ensure that even simple external threats to any of its distribution centers would be minimized. This would include conventional fences, guards, CCTV surveillance, RFID tracking and more. It would also require similar controls for any of its partners. While none of these physical perimeter defenses are impregnable, the cost-to-risk benefits are well established. Perimeter defenses are foundational to an in-depth defense model and complement other strategies.

Enterprises’ use of mobile and cloud-based applications changes conventional perimeter defenses. They are applying role-based access authentication and federated identity that are based on an identity management system protected within the perimeter. The use of remote desktop virtualization infrastructure (VDI) by many enterprises still relies on keeping sensitive data behind the corporate firewall. So are perimeter defenses really dead?

Let’s not forget compliance. The majority of GRC frameworks and compliance standards call for perimeter defenses and network access control. More specifically, adherence requires separation of public and private networks, and the segregation of general infrastructure from those systems processing sensitive, financial and personal identifiable data.

Considering these points, I firmly believe perimeter security is not dead. It has advanced to establish an enterprise network demarcation – no matter where it is located and how it is managed – that ensures appropriate segregation and protection of sensitive information.

Scott Gordon is an enterprise systems and information security industry executive with more than 20 years of experience. He is currently VP of worldwide marketing at ForeScout Technologies and author of the recently published book Operationalizing Security.

What’s Hot on Infosecurity Magazine?