Now You See It, Now You Don't: The Challenges of a Disappearing Network Perimeter
Jul 6, 2012 5:00 AM PT
It may seem like Houdini is inside the network, because the perimeter as we have known it is disappearing.
Conceptually, firewalls used to sit between the public Internet and the internal network with its servers, desktops and applications. There was a clear network perimeter separating internal resources from the outside world. However, emerging trends, such as remote workers, outsourcing, virtualization and bring your own device (BYOD) programs are eroding the lines of the network perimeter.
Consequently, IT professionals must rethink how they manage it.
The first trend contributing to a disappearing network perimeter is remote users, who work from home or on the road but require network access to use internal resources. Typically, these connections are addressed through a VPN, but remote workers still warp the network perimeter since IT professionals must work to filter and control traffic from end-points that are not strictly within the network.
Next is outsourcing, wherein some of the traditional services that used to exist in the internal network are extended to an outsourced network, yet connected to the corporate environment. Traffic traveling between the outsourced environment and the corporate network must be managed, so the picture becomes more complicated.
A more recent trend is virtualization. Boxes running virtual environments contain multiple virtual machines inside of it. Virtual servers connected to a virtual network run inside this virtual environment. All of this is connected to the traditional physical infrastructure. It can be challenging to manage the traffic between the virtual environment and the physical environment, but the real difficulty is that some of this traffic never leaves the virtual environment, which creates a hole in the network perimeter.
Finally, the rise of BYOD, which introduces personal technology like smartphones and tablets into the enterprise environment, is also eating away at the network perimeter. Employees connect to the network through hot spots, but they expect the same access they receive at their desks. Even though the traffic comes from multiple directions, filtering policies must be applied uniformly across all user profiles, so it can be challenging to keep track of it all.
Fortunately, other emerging technologies can help address these challenges. The most dynamic of these technologies are next-generation firewalls. Next-generation firewalls offer granular controls to filter by port and protocols, as well as by applications. Additionally, next-generation firewalls can filter by user identity instead of IP address, so the same policy is applied to the same user regardless of where or how he connects to the network.
Even though the network perimeter is disappearing, next-generation firewalls make it easier to be managed by segmenting the network to control the traffic. A whitelisting approach blocks traffic by default; the policy must be written to allow access. A blacklisting approach allows traffic by default, but can be written to block specific traffic. Whitelisting is more secure, but it requires more work. Blacklisting is easier to manage, but less secure.
A hybrid approach can be written to create a mini-blacklist that denies bad applications from HTTP traffic but permits all other http traffic, with an additional whitelist to permit specific non-HTTP traffic but deny all other traffic.
Arthur C. Clarke once said, "any sufficiently advanced technology is indistinguishable from magic," but it is not magic that is causing the network perimeter to disappear. It is sufficiently advanced technology. It may take a new understanding to make these blurred lines visible, but the means exist to retake control of the network perimeter.