Skip to main content

Top 10 Network Security Mistakes - #3: Belief in Perimeter Security

June 11, 2014

The Emperor’s New Castle

I used to think of my network as some sort of castle. If the walls were high enough, and the moat was wide enough, then everyone inside would be safe from the danger that lay outside the dense stone walls. And thine Goblet of Righteousness shall overfloweth with rich digital mead after the Dragon of Malcontent has been slain!

Yes, that was a comforting D&D (or GoT) tinged fantasy.

And maybe, if even for just a fleeting moment, it was sort of a suitable analogy. 

But we can no longer pretend. The perimeter collapsed some time ago.    

Leave the Beaver

Gone are the Leave-It-To-Beaver days when we thought protected data was only consumed from some trusted device on a trusted network, as if a secret Masonic writ protected the whole system from ever being subverted.

Of course centralized data and services still exist, but we need to stop thinking about the network in relationship to where the information is stored and start thinking about where and how the data is consumed. This is even more critical if your organization is in any way utilizing cloud-based services.    

The Unsettling Truth

In one way or another, most modern networks consist of systems that aren’t fully trusted or controlled. 

Users expect to be able to access data from any device at anytime from anywhere. You don’t always have to give users what they want or expect, but sometimes, these users are the same ones who approve the budget, which can help sort out priorities pretty quickly. 

*cough* executiveswithipads *cough*

Today, we are much more aware of the challenges that mobility, trust and omnipresent workaholics present to the concept of securely serving data. Maybe we can use this shift as a stimulus to reframe our approach. 

Break It Up

As the methods and patterns of data consumption change, so must our defense tactics. Traditional stalwarts like firewalls, proxies and IPS still have a role in the overall design, but they can only do so much, especially in light of the data-level and transport-level encryption that have been on a sharp uptick lately for some unknown reason.

*sneeze* nsasnowdenheartbleed *sneeze*

Here are a few ideas that may help you keep your data where you can protect it more easily. 

  • Separate the device from the data. This can be done via virtualization, remote desktop or some form of proxy. The idea is to prevent the actual data from touching the users’ systems, thereby keeping it segmented from the unsanitary outside world. It’s like Boy in the Plastic Bubble for your data, sans John Travolta.  
  • Limit or prevent data portability. If workstations need to actually touch data, extra care should be taken to limit the possibility of inappropriate use. DLP can be an effective, if complicated and unthrifty option, but some endpoint solutions offer lower-tech approaches like limiting copy/paste, shutting down USB ports and disk burners and logging activity. Treat your data like a toddler, because it could wander off at any time. 
  • Redefine trust. Some organizations are taking the idea of untrusted hosts to the next level by forcing even internal hosts to go through the security line. Multifactor authentication at the workstation is possible but rarely used. So, using strong authentication to identify users before allowing them to access services can help stop unauthorized access. Enterprise SSO can help prevent death-by-login. 

The Emperor’s New Close

Reinventing the concept of trust without instilling distrust can be a challenge on a number of levels. Ultimately, it is up to you to find the appropriate balance between access, ease and security.  Sometimes wholesale tradeoffs aren’t necessary to enjoy all three. But frequently, compromises must be made. 

While a guilty until proven innocent approach might not work for a just legal system, it might be exactly what an Emperor/Empress needs to protect their kingdom and its contents. Godspeed!

Additional Posts

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 06, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 3)

In parts one and two of this blog series, I provided an overview of SSL web inspection, and dove deeper into how SSL inspection solutions work and met...

See Details

January 29, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 2)

Hardware will vary between vendors and even different models within a vendor’s catalog. Some models/vendors will offload complex CPU tasks (decryption...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

February 26, 2013

Continuous Monitoring and the Federal Government

“Continuous monitoring” is the latest buzz word being used throughout the federal government. And depending on with whom you talk or what you read, th...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.