The old network security model -- perimeter defense -- was a lot like the old physical security model: Put your assets in a secure location, build a wall and use a gate to control who goes in and out. Many today say the perimeter model is obsolete; some even say the perimeter should be removed altogether. While today it's critical to understand the shortcomings of the castle-and-moat model, CSOs should be a long way from tossing their firewalls altogether.
The perimeter defense approach worked pretty well for the walled cities of the ancient world, and it worked pretty well for computer networks in the 1990s. In many ways, the approach is fundamentally sound. It makes more sense to stop attackers with hardened outer defenses than to let them come inside and fight your most vulnerable citizens with hand-to-hand combat. No one would dream of arming an office clerk with an antitank gun; it's the job of the soldiers on the front lines to keep tanks away from the file clerks!
Of course, no perimeter defense is perfect. The Trojans learned this fact the hard way a little more than 3,000 years ago, when they brought that giant wooden horse filled with Greek soldiers inside their perimeter wall. Once the bad guys are inside the gate, the wall becomes irrelevant. Security consultants have been warning organizations for years about the danger of underestimating the insider threat. They argue that concentrating on perimeter defenses invariably tempts an organization into relaxing its internal defenses. For example, organizations are understandably hesitant to patch and upgrade the computers inside their networks when they are spending all that money on a firewall. But external threats have a way of sneaking past even the best perimeter defense -- either because an executive plugs an infected laptop into an internal network or because a rogue 802.11 access point lets outsiders come wirelessly through your walls and plug in.
Even if perimeters were perfect, the perimeter approach assumes that assets stay put inside the perimeter's protective ring. This assumption is no longer true in today's world of laptops, Web portals, memory sticks and BlackBerrys. High-quality information is constantly crossing every organization's physical and electronic perimeters. Relying solely on perimeter defenses is like buying a home alarm system to protect your children from kidnapping, then allowing them to ride alone to school on the New York City subway.
Perimeters today have gotten such a bad name that some consultants and journalists are heralding "the end of the perimeter." CSO, for example, wrote about this concept early last year.
The battle of Jericho
One user organization, the Jericho Forum, is taking this idea a step further, with a process that the forum calls "deperimeterization." The basic idea of deperimeterization is that organizations should face the fact that the perimeter is dead and develop a fundamentally new security model based on mutual authentication and strong cryptography. The Jericho Forum (whose members include big companies such as Barclays, Boeing, HSBC and Rolls-Royce) argues that the way to achieve this future is through careful design of a new security infrastructure that guarantees interoperability and openness. Jericho is calling for companies to bring down their outside walls and rely on defenses built into hosts, applications and the data itself.
Deperimeterization certainly seems sensible in a company such as Boeing; a perimeter-oriented defense makes little sense when you have more than 150,000 employees inside the firewall. Sure, you can have a firewall within the firewall to protect the really good stuff -- to segregate the accounting department from the machinists, for example -- but where does one stop? Jericho's argument is that it makes sense to build firewalls as small as possible -- for example, one firewall for each computer.
This vision of a network is, in fact, the environment that I enjoyed at MIT, an enterprise that has tens of thousands of computers interoperating securely without a general perimeter defense. At MIT the network is assumed to be inherently hostile. The result is that the systems there are
battle-hardened against all attackers, internal and external. (Instead of making users reauthenticate every time they log in to a different service, the MIT network uses Kerberos as a single sign-on system; workstation users have to reauthenticate only once every 10 hours.)
But aside from its catchy name and its big goals, does deperimeterization make sense from either a security or financial or even a historical point of view?
Yes, for all their benefits, good perimeter defenses are psychologically dangerous. They lull organizations into a false sense of security. But according to the 2005 "CSI/FBI Computer Crime and Security Survey," attacks by insiders accounted for less than 7 percent of the respondents' dollar losses to computer crime. What's more, the survey's authors write, "the data do suggest that respondents detect events perpetrated by insiders about as often as by outsiders, casting some doubt on the claims one often reads that the vast majority of crimes are committed by insiders."
In other words, even though strong perimeter defenses might cause organizations to lower their vigilance inside their walls, on the whole a perimeter seems to do significantly more good than bad. What today's organizations really need is a way to evaluate the effectiveness of their perimeter defenses so they can make rational decisions about where else -- in addition to their perimeter -- they ought to be spending their security dollars. The big holes in today's perimeters come from business decisions: When two companies form a partnership, one of the first things they do is open holes in their respective firewalls so that their corporate systems can interact more closely. These holes can outlast not only the original partnership but frequently the companies as well! After a corporate acquisition or two, hardly anybody knows which holes in the firewall are the ghosts of long-dead relationships and which are still essential because of ongoing business ventures. The same is often true of active VPN circuits and even dedicated leased lines. People just keep paying the bills, for fear that tearing down a connection might break something important. One company that's managed to profit from this confusion is network mapper Lumeta, which has developed a powerful system that experimentally determines the connectivity between and within enterprise networks. Lumeta's maps frequently turn up hidden pathways between supposedly well-guarded enterprise networks and the rest of the Internet.
The fundamental problem with the Jericho Forum's deperimeterization vision is that it ignores the security doctrine of defense in depth. Even if all your hosts can withstand attacks from the open Internet, there are still advantages to adding the extra layer of defense that comes from a firewall. For example, when a new attack is discovered, it's invariably faster to block the attack with a new rule on the firewall than to program every computer to update itself. Indeed, I don't see how any self-respecting CSO could decommission a firewall once one was installed. What if an attack comes through that could have been stopped by the firewall?
Another problem with Jericho's vision is the whole idea of developing a new security architecture rather than making incremental modifications to the one that's currently deployed. The Internet was successful because it could be incrementally deployed. Instead, Jericho's vision will probably come to pass partly through companies adopting application-level VPNs that use SSL to bridge connections over a hostile Internet. Each time a business partner needs to use a remote service, one application will open an SSL connection to the remote server and check the certificate. A very simple version -- one company setting up an SSL-enabled website for another company's employees to use -- exists today.
Digital rights management (DRM) is another technology that will help bring about Jericho's vision. DRM systems encrypt the contents of sensitive documents so that they can be deciphered only by authorized individuals. There are many players in this space, including Microsoft, Liquid Machines and even Adobe. DRM systems can reduce our dependence on firewalls because they lower the potential damage that can be caused when a firewall fails.
Still, I'd rather have a firewall in place around a company than put bad-guy hackers on my internal LAN and rely solely on the effectiveness of SSL-protected application-level VPNs or DRM. Yes, Joshua blew his horn and the walls of Jericho came tumbling down -- after which the invasion force killed every man, woman and child inside the city. Internal defenses are a great idea -- but so are nice healthy walls around your perimeter.
-- Simson Garfinkel, PhD, CISSP, is spending the year at Harvard University researching computer forensics and human thought. He can be reached at firstname.lastname@example.org.