Axia NetMedia Corporation What is Perimeter Security?

January 2007

Axia NetMedia Corporation. www.axia.com | 3300 450 1st Street SW Calgary AB T2P 5H1 | ph 866 773 3348 | fx 403 538 4100 Pg.1

of 6

Table of contents
1.0 2.0 3.0 4.0 5.0 What is Perimeter Security? ......................................................................... 3 Why do you need perimeter security? .......................................................... 3 Where does perimeter security reside? ........................................................ 4 AxiaSecure ................................................................................................... 5 Conclusion.................................................................................................... 6

Axia NetMedia Corporation. www.axia.com | 3300 450 1st Street SW Calgary AB T2P 5H1 | ph 866 773 3348 | fx 403 538 4100 Pg.2

of 6

1.0

What is Perimeter Security?

A definition of perimeter security can be better understood by dividing perimeter security into its constituent parts: perimeter and security.
perimeter1 [ p rmmitr ] noun Definition: 1. boundary enclosing area: a boundary that encloses an area 2. outer edge of territory: the outer edge of an area of defended territory security2 [ s kyoortee ] noun Definition: 1. state or feeling of safety: the state or feeling of being safe and protected 2. freedom from worries of loss: the assurance that something of value will not be taken away job security 3. something giving assurance: something that provides a sense of protection against loss, attack, or harm the security of knowing that the vehicle has been thoroughly checked 4. safety: protection against attack from without or subversion from within a matter of national security 5. precautions to maintain safety: precautions taken to keep somebody or something safe from crime, attack, or danger security measures

In other words, perimeter security is taking precautions to protect the boundary of an area in this case a computing network against loss, attack or harm. In the case of IT security, the assets must be protected both from physical harm to the infrastructure and from damage to the data traversing the network. Building upon the definition will provide an explanation of why perimeter security is necessary, where it should be located and what features it should provide.

2.0

Why do you need perimeter security?

Until just recently, the perception of perimeter security was held to be a piece of hardware usually a firewall installed to keep unauthorized individuals from accessing internal computing resources. Technology used to protect the perimeter has since evolved in response to the rapidly changing threats and exploits rampant on the Internet. Nowadays a major business driver is having an online presence, and that requires a connection to the Internet. Unfortunately, connecting to the Internet also exposes a company to many more threats and vulnerabilities. The cost of doing business on the Internet means a company must allow services to be accessible and ports to be open, with each service made available creating possible new threat vectors.

1 2

MSN Encarta. Microsoft. 01 December 2006 <http://encarta.msn.com/dictionary_/perimeter.html> MSN Encarta. Microsoft. 01 December 2006 <http://encarta.msn.com/dictionary_/security.html>

Axia NetMedia Corporation. www.axia.com | 3300 450 1st Street SW Calgary AB T2P 5H1 | ph 866 773 3348 | fx 403 538 4100 Pg.3

of 6

A good security strategy will implement more than one defense at different levels of the network infrastructure. The concept of defense-in-depth ensures there are multiple layers that must be penetrated before the target can be accessed. As some of the layers are penetrated, alarms may also be sounded to alert network managers to the threat. As an example, purchasing a vehicle is a large investment and most people want to secure that investment. The principle of defense-in-depth would ensure windows were closed and doors were locked so only properly authenticated individuals (i.e. those with the key) could gain access. If someone were to penetrate this first level, the car alarm would notify people to the breach. The cars owner might also place a Club on the steering wheel as another level of defense. Should the intruder also circumvent the Club, he would then need to bypass the ignition switch to start the car. There could also be other technical (immobilizer, etc.) and non-technical (insurance policy) defenses. Each barrier the thief must cross would add complexity and greatly increase the time required to be successful. The defense-in-depth concept makes exploiting a system increasingly difficult. In a computer network, the firewall is the first line of defense, allowing only authenticated traffic (those with the key) into the network (through the door). However, the traffic may contain potentially malicious exploits, so the firewall is evolving from a mere gatekeeper to a traffic inspector, looking for potentially damaging content. These Unified Threat Management (UTM) devices perform more than one function at the perimeter to better manage and control traffic flow. UTM devices combine much more functionality than simply access control. They can also include antivirus (AV), antispam (AS), web filtering, content filtering and intrusion detection/prevention systems (IDS/IPS) to inspect the traffic before it has a chance to enter the network.

3.0

Where does perimeter security reside?

Some enterprises might already have one or more of these devices within their internal network and wonder why they would need a redundant solution. Using AV as an example, no single product is able to detect every virus and its variants, as different vendors use different parameters and heuristics to detect virii. Having multiple AV scans can effectively increase the chance of identifying and quarantining a virus. This holds true for each of the security features listed above, demonstrating the benefits of a defense-in-depth strategy. The placement of a UTM perimeter security device might seem obvious at the perimeter but the difficult task is defining a network perimeter. Historically there was just one way in and out of the network. Today the potential list of ingress and egress points is growing as new technologies and new business requirements are introduced8. Some business functions now require employees to work from remote locations such as a customer site or hotel. They may have the ability to connect to their internal network via a Virtual Private Network (VPN). This VPN connection creates a tunnel in which the encrypted traffic traverses the firewall and travels to a connection on the internal network. The traffic is authorized to bypass the firewall, and should be controlled by policies and rules to explicitly allow the traffic if an authorized user initiates the connection.

Axia NetMedia Corporation. www.axia.com | 3300 450 1st Street SW Calgary AB T2P 5H1 | ph 866 773 3348 | fx 403 538 4100 Pg.4

of 6

Wireless access is convenient, but in most cases it is ill advised to allow computers to connect to a business network wirelessly. The wireless access point (WAP) can be placed on a trusted internal network and allow uncontrolled access to resources. This means someone located inside or outside of the physical boundaries of a building can bypass the firewall and access the network to which the WAP is connected. If wireless access is a business requirement then at a minimum it should be in a separate security zone and scanned with a UTM before access to critical resources is granted. Many companies will host websites that are often critical aspects of the day-to-day business infrastructure. The website will reside on a zone inside the perimeter, and allow access to anyone on the outside the perimeter. As with the VPN, this traffic is authorized, but must be scanned at a deeper level for potential threats and vulnerabilities. These are just a few examples illustrating how someone on the outside of the perimeter can access resources on the inside of the perimeter. In some instances, a network can be divided even further so internal networks of differing security levels, such as Human Resources, Finance and Marketing, are placed in separate zones. This requires people in the Marketing zone, for example, to pass through a UTM before accessing Human Resources data. Fundamentally, a UTM device should be placed between any two zones with different security requirements. Zones are created when the boundaries between networks with different security levels contact each other to transmit data. Based on the network topology this could mean a single UTM device handles all traffic passing between zones, or it could require more than one device to pass traffic. The rule-of-thumb indicates that traffic should only flow from a higher security zone to a lower security zone. This might not always be possible, but installing a UTM device between the zones will control and authorize data transmission based on the configured rules.

4.0

AxiaSecure
Organizations that handle sensitive data are increasingly aware of the need to comply with current and emerging legislation. They face network security and data protection issues that surpass once-adequate technologies such as anti-virus software and firewalls. They require tangible results from network security solutions that translate into business efficiencies and bottom line performance. And they want reliability in the provider that caters to their security needs. AxiaSecure Perimeter Protection is a managed security service that protects your network perimeter from outside threats, keeping intruders out and maintaining the integrity of confidential data. It is designed for organizations that need to seamlessly protect their network perimeter and data integrity, and be assured that their security solution is performing. AxiaSecure Perimeter Protection is unique in that it simplifies the management of network security for organizations of any size. Every package includes all of the essential components of a security solution at no additional cost, so that you are equipped with a solid foundation that can scale with your security needs.

Axia NetMedia Corporation. www.axia.com | 3300 450 1st Street SW Calgary AB T2P 5H1 | ph 866 773 3348 | fx 403 538 4100 Pg.5

of 6

5.0

Conclusion
The delineation for the beginning- and end-points of networks has blurred. It has evolved from the strict outside and inside to a less defined notion of zones separating networks of differing security levels. In the process, the network perimeter has changed from single perimeter to many perimeters, each requiring different protections. The perimeter must adapt to the changing business requirements by allowing many more points of ingress and egress, which in turn requires a more sophisticated form of perimeter protection. Perimeter security, therefore, must protect the transmission of the data traversing the varying boundaries between differing security zones. The technology used varies, but for all-encompassing security many features can be leveraged. Antivirus, antispam, web filtering, content filtering, and IDS/IPS can all be combined with the functionality provided by a traditional firewall to create a Unified Threat Management system to protect the myriad perimeter configurations.

Axia NetMedia Corporation. www.axia.com | 3300 450 1st Street SW Calgary AB T2P 5H1 | ph 866 773 3348 | fx 403 538 4100 Pg.6

of 6