NetSec Letter #28, 11 July 2003
The Vanishing Perimeter

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

We’ve all seen those firewall pictures that show the Internet (“Here there be Dragons,” to quote Dr. Steve Bellovin, as well as ancient maps of “the world”), a firewall, and our inside network with a wall around it. It is a useful picture for explaining firewalls, but it does not picture reality. (To see an example of what I mean, see www.avolio.com/columns/perimeter.jpg.)

Good Old Days

In the good old days, only power users connected from home to the enterprise network. Most people couldn’t even imagine why one would want to. The power user would dial in to a modem pool at an enterprise access controller, and get command line access to his or her computer. The remote computer acted merely as a terminal. (If some of these terms sound unfamiliar to you, please understand: this was back when we did computing by candle light.) Back then there was no Internet to use or fear, no network on the other side of an “incoming” connection, and the enterprise network perimeter really did have walls around it. The network stopped at the physical edge of the enterprise.

Now-a-Days

Now, of course, we sit behind firewalls, which demarcate “them” and “us.” It is just not that easy to tell who “us” is. Inside our enterprise network we have contract workers. Outside our network there are teleworkers, day-extenders, and road-warriors. Remote sales people are also “out there” on the Internet, but they are part of “us.” Some of “us” might be at home, at an Internet Cafe in Prague, or a “big ol’ jet airliner.” [Steve Miller Band] Some of “them” have to get access to some of which belongs to “us” in order to buy product or get support.

What to Do

There are a few things we can do to deal with the true picture.

  1. Classify people. The world is not “them” and “us.” Included in “them” are “potential customers,” “business partners,” and … well, the unknown “them,” all of whom are potential bad guys. Some of “them” need access to some of our network with authentication — some, but not all of “them.” “Us” we can classify by location and function. For example, inside workers in our headquarters office: sales, marketing, executive team, developers, and administrative. Some of those — maybe all, now-a-days, are day-extenders, connecting into work for e-mail and forgotten files. The point is, different groups have different access needs. Instead of “all or nothing” access, access — both in to and out of the network — can be keyed to the particular needs of the particular classes. (I know we don’t like to refer to “classes” of people, but bear it for our discussion. When we “classify” things, we end up with “classes.”)
  2. Classify systems according to the sensitivity of the data each holds. We do this already, don’t we? Accounting’s systems are usually inaccessible to software developers. The advanced development systems are “off limits” to the sales force. Though most of us do this in some form or other, we might not be using this information to help plot out an access control scheme.
  3. Configure access devices (firewalls, etc.) with strong user authentication (or Virtual Private Network access) for outside users, to be able to tell the class for each. Then, grant access based on class of user and system, which is another way of saying “user requirements.”
  4. While you are at it, tighten up the firewalls. Grant inbound and outbound access to services based on class need. When three people in the network group need outbound access for “ssh,” while the rest of the organization can’t even spell it, why allow it for “ALL?” Even better, as you classify systems and people, use VLAN technology to further segregate systems and people. Then you could even apply firewall rules between different user communities within the enterprise. Class segregation is ugly in a society, but aids security in a network.

Promotions, Self and Otherwise

A column I wrote, “Preparing for the Worst” for *On the Radar*, LURHQ Corporation’s client newsletter, is at http://www.lurhq.com/vol1.html. LURHQ is a managed security solutions provider, run by friend and former Gauntlet sales engineer, Tony Prince. I am on their advisory board.

My “Just the Basics” column ( www.infosecuritymag.com/2003/jul/justthebasics.shtml) in the July 2003 Information Security Magazine asks, “How do you know if your firewall is ‘healthy’?”

I’ll be teaching “Security Essentials for Managers” and “Firewalls Essentials for Managers” — both full day courses — at COMDEX Canada in September. Check out my “Speaking and Teaching Calendar” at www.avolio.com/calendar.html.