cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

You Are Here - Part 2 - Perimeter Security

In part 1 of this series we covered some of the most prevalent and most promising cybersecurity models and frameworks available today. These are all tools that can help you determine the size and shape of the current information security landscape, and where you and your organization are within it. We also realized that even with all of this, you still can’t answer some fundamental questions about the specific technology you need to protect your digital infrastructure. As promised, I’m going to spend the next four posts covering the four critical domains of IT infrastructure security and the categories they each contain. Let’s start today with the perimeter.

Domain: Perimeter

The perimeter domain can be seen as the walls of a castle. These technologies are meant to keep information in and attackers out.  In many cases, a Demilitarized Zone (DMZ) and other public network services are exposed to the routable internet via systems within the perimeter domain. Additionally, an organization may have multiple perimeters, similar to an outer wall and an inner wall protecting a castle.

The categories in the perimeter domain are network security, email security, web security, DDoS protection, data loss prevention (DLP), and ecosystem risk management.

Category: Network Security

Network security is typically the primary line of defense for traffic entering or leaving an organization’s network, providing a first-look analysis of traffic inbound and a last-look at traffic leaving your network’s span of control. The primary products in this category are firewalls, network intrusion detection/prevention systems (IDS/IPS), deep packet inspection (DPI), and other security gateways. Today, we rely on so-called next generation firewalls (NGFW) to package the functionality of what used to be many devices into a single appliance or virtual machine. More and more we are facing the challenges of deperimeterization as BYOD and cloud services stretch and blur the previously hard lines that defined our networks' boundaries. This is leading to the rise of software defined perimeter (SDP) tools that push security to the very edge of your new multi-cloud network.

Category: Email Security

Email has become a nearly universal communication medium for individuals and businesses alike, which also makes it a prime attack vector. Spam (Unsolicited Commercial Email - UCE) has been a nuisance for many years, and now phishing, click-bait, and malware attachments create real organizational threats. These attacks are so prolific that it often makes sense to layer email-specific security measures on top of network and endpoint solutions. Included within this category are email security products that offer antivirus, anti-spam, anti-phishing, and anti-malware features. Additional tie-ins to DLP and encryption are also available.

Category: Web Security

Much of our online activity centers around the web. This is increasingly true in our more and more SaaS-focused world. Web security seeks specifically to protect your users from visiting malicious websites. URL filtering (whitelist/blacklist) and other DNS tools fit into this category. Today, known and emerging threats are addressed within this category using Advanced Threat Protection (ATP) capabilities to analyze, diagnose, and dynamically implement rules governing web access in real-time.  This capability is typically provided using a subscription service to a threat database that has an influence on data exchange or name resolution traffic traversing a network.

Category: DDoS Protection

Pundits and others spend a lot of time talking about “going digital.” What this likely means to you is that internet access is crucial to your business. Your employees need to reach the information and services they need, and your customers need to reach your website and other applications. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks generate malformed/malicious packets or an excessive amount of inbound traffic to flood systems responsible for responding to valid queries.  Under such an attack, systems are unable to keep up with responses. D/DoS protection services recognize these attack techniques and implement methods to block the attempts or clean the inbound data streams so that only the valid traffic remains.

Category: Data Loss Prevention

Data is the new gold. Your intellectual property is now made up of ones and zeros, so you can’t lock it in a file cabinet or a safe. You can still protect it though – probably better than you could when it was on paper. Data loss prevention (DLP) tools classify, analyze, and react to data at rest, in use, or in motion. DLP ensures that your data remains available to those who need it, and out of the hands of would-be attackers.

Category: Ecosystem Risk Management

Your cybersecurity is only as strong as the weakest link in your ecosystem. A vulnerability anywhere in the supply chain escalates organizational risk and jeopardizes productivity, profitability, and reputation. Partner, supplier, and vendor security risk is a major area that cannot be ignored as a business issue any longer. You need to be able to continuously identify, monitor, and manage risk to improve the cyberhealth of your vendor ecosystem.

Up Next

Obviously, the castle walls are only one part of a well-crafted defense. In the next three posts of this 6-part series, we’ll cover the remaining domains of endpoint & application, identity & access, and visibility & control. In the final post, we’ll look at the full model that these four domains create, how it fits into the broader cybersecurity landscape, and provide some advice on how to put it all into practice. Stay tuned!

16 Comments
Level 13

Thanks - Good article.

Level 14

Nice article.

Level 20

I've had to deal with a weird DDoS vulnerability lately it's a special kind of ntp amplification attack.

This year there was some great Thwack Camp insight into the value of data to nefarious folks trading on the darknet.  When a Social Security number can be sold for a dollar, and a personal health record can be sold for $1000, that tells us how much care needs to be taken with PHI, PII, and PCI.

Love getting these awesome tidbits to pass along in meetings and conferences. 

Level 9

Happy to be of service! 😃

Level 16

Thanks for the write up. I always have to throw physical security out there also, need to keep those equipment rooms locked as well.

Level 9

Great point! And keep the cameras recording too.

MVP
MVP

Nice write up

Level 14

Well written.  I look forward to the follow on installments of this series.

Level 14

Kudos to bobmarley​!  Don't forget physical security!  Often overlooked and under rated!

Looking forward to the rest of the series. 

Level 14

You beat me to it.  A drawbridge and portcullis are useful.  i.e  physical security.  Keep the doors locked.  Restrict access.  Test your fire supression system.  Don't keep your backup tapes next to the servers.

Really really important.  Don't keep the door keycard control system behind a door managed by the door keycard system.  Somebody didn't think this through and a certain Fire Brigade were locked out of their own server room.  Fortunately they have big blokes with fire axes so we were OK.  The door wasn't so lucky.

Level 13

Nice post chrisgrundemann​.  Really looking forward to reading the rest of the series.

Level 11

yes very nice

MVP
MVP

Interesting article. Security is such a major issue. It used to be that you had to be careful for yourself and your possessions. Kind of limited access to both. Now we are digital and not just spread all over the place, but also accessible from everywhere. How do you truly secure yourself in so many places.

About the Author
Chris Grundemann is a passionate, creative technologist and a strong believer in technology's power to aid in the betterment of humankind. In his current role as Director of Strategy at Myriad360 he is expressing that passion by helping clients build bigger, faster, more efficient IT infrastructure that is both more secure and easier to operate and scale. Chris has well over a decade of experience as both a network engineer and solution architect designing, building, securing, and operating large IP, Ethernet, and Wireless Ethernet networks. Chris holds 6 patents in network technology and is the author of Day One: Exploring IPv6 and Day One: Advanced IPv6 Configuration, an IETF RFC, a personal weblog, and various other industry papers and blogs. As a volunteer he is currently serving as President of IX-Denver, Program Committee (PC) member for AfPIF, and Chair of the Open-IX BCOP committee. Chris often speaks at conferences, NOGs, and NOFs the world over. He has held previous positions with Markley Group, Internet Society, CableLabs, tw telecom, CO ISOC, ISOC-NY, ARIN, NANOG, CEA, UPnP, DLNA, RMv6TF, and several others. Chris is currently based in Brooklyn, NY and can be reached via Twitter.