1. SYSADMIN De-Perimeterization
De-perimeterization and life after the firewall
Enterprises and organizations used to feel protected
behind the firewall, but now VPNs, e-commerce, web
services, and Web 2.0 have put an end to the comfort.
The network perimeter is losing its significance, and
the time has come for a new approach to security.
BY JÖRG FRITSCH
irewalls used to be the pride of On today’s networks, security special- paradigm shift is an opportunity. Instead
any security department. A well- ists have a difficult time enforcing the of repeating past errors by refining and
designed firewall protected the traditional segregation of “inside” and extending the outdated firewall concept,
internal network, and a lot of ports “outside.” New borders are opening up why not devise a whole new approach to
needed to be open on the firewall. Serv- all over the place. Remote access via security that is tailored to the more com-
ers advertised their services to anyone VPN, cellphones, PDAs, roaming note- plex reality of today’s networks?
on the LAN. books, web services, and Web 2.0 tech- The Jericho Forum  is an interna-
This black and white view of the se- nologies are slowly rendering the fire- tional security organization dedicated to
cure internal network and the evil exter- wall obsolete. In the past, each server advancing a new vision for network se-
nal network was never really as simple application had a clearly defined port curity. At the center of that vision is a
as it looked – identity thieves and dis- and was easily controlled at the firewall, concept they call de-perimeterization,
gruntled colleagues have always been but almost all services in today’s web which overturns the traditional view of
a part of the corporate scene – still, the service model use http/https and port 80 the network as a finite space with an
system seemed to work somehow. With- or 443. This emphasis on http makes it inside, an outside, and a perimeter. Ac-
out firewalls, the current conception of difficult to disambiguate services at the cording to the Jericho Forum, the threats
the Internet – with online shopping, network perimeter. faced by today’s networks are so vast
home banking, and VPNs – would be Although this problem sounds like a and varied that “…The only reliable se-
totally unthinkable. serious threat, some experts believe this curity strategy is to protect the informa-
60 ISSUE 89
2. tion itself, rather than the echo this theme that modern
network and the rest of the IT networks should not depend
infrastructure.” on perimeter boundaries for
The Jericho Forum is a protection. (According to un-
loose grouping of ISM (Infor- official sources, the trade-
mation Security Manage- mark was necessary to avoid
ment) experts affiliated with vendors misusing the term
the Open Group , an um- for advertising purposes
brella organization compris- without actually adhering to
ing the joint forces of the the principles.)
Open Software Foundation This vision of a secure net-
 and X/Open Limited. work without borders is em-
Open Group is well known bodied in the Jericho Forum’s
for its Single Unix Specifica- “Commandments,” which are
tion and other initiatives. available in PDF form from
The Open Group trade- the Jericho Forum web page
marked the term “Boundary- (see the box titled quot;Com-
less Information Flow” to mandments”).
3. SYSADMIN De-Perimeterization
Conventional Security Model
(Rings of Trust)
De-perimeterized Security Model
Network Operating Operating Network
Application Data Application
LAN/Operation System System LAN/Operation
Network A Network B
Figure 1: Conventional security models attempt to safeguard components from each other. The traditional “Rings of Trust” model (above)
hardens each ring against the surrounding ring. The de-perimeterization model, below, assumes data is independent of context and must not
depend on an application, operating system, or network for protection.
The commandments are a collection of defending itself – even when placed viewing or modifying data was restricted
of security principles – some equivalent on the open Internet. to authorized persons only. Data would
to contemporary “best practices” advice Figure 1 sketches this new vision of be useless in the wrong hands. This ap-
and others quite radical and new. The the data-independent network. At the proach, often referred to as Information
work of the Forum boils down to an em- top, you can see legacy data and infor- Rights Management, IRM , entails
phasis on four areas: encryption; secure mation with clearly defined perimeters. more than just encrypting the data.
protocols – above all, SSL/TLS; secure The Rings of Trust model is designed to At present, many manufacturers are
systems; and authentication and authori- support communication from the secure working on frameworks that support au-
zation at the data level side (i.e., the side closer to the core) to thentication and authorization directly
The concept of protecting the data it- the insecure side. At the bottom of the at the data level – Oracle, EMC/RSA, and
self, rather than simply restricting access image is the new model. Data exists in- Microsoft DRM to name just a few. Some
to the machine that holds the data, is a dependently of network boundaries and solutions are already available in part,
fundamental feature of this new ap- must not rely on any application, com- although they are frequently tied in too
proach. Another tenet of this de-perime- puter, or network for security. closely to the DRM model. Thus far, it is
terized reality is that all networks are In a perfect world, information would hard to say which technology will assert
untrusted. Each device must be capable possess attributes to make sure that itself. Standalone solutions are pointless;
after all, de-perimeterization aims to fa-
cilitate the flow of information.
Some critical elements required to im-
plement the vision of the perimeterless
network are still missing – first and fore-
most, secure terminal devices. Although
Linux has an excellent reputation in this
respect, it is still too vulnerable.
The inherently secure systems that
de-perimeterization relies on should not
 Jericho Forum:
 Open Group:
 Open Software Foundation:
 Oracle Information Rights
Figure 2: The Jericho Forum advocates policies, practices, services, and standards for a
62 ISSUE 89
be vulnerable to hijacking attacks on ac- If you are a road warrior who works corner, whether from laptop theft or a
count of a minor programming error. with a portable computer in hotel rooms, carefully crafted attack on a protocol,
And there is much to do on the applica- on customer premises, or at conferences, application, or system. Let’s hope that
tion front. Web browsers in particular you know that today’s Internet is not far de-perimeterization will give us better
are continually in the news with critical removed from the ideal of de-perimeter- protection than today’s assortment of
security holes. ization. But danger lurks around every firewalls, virus scanners, and VPNs. ■
The Jericho Forum’s vision for de-perimeterization is embodied The Need to Trust
in a document known as the Jericho Forum Commandments, 6. All people, processes, and technology must have declared and
which is available through the Jericho Forum page (Figure 2) of transparent levels of trust for any transaction to take place.
the Open Group website . The 11 commandments of the Jeri-
• Trust in this context is establishing an understanding between
cho Forum are:
contracting parties to conduct a transaction and defining the
Fundamentals obligations of each party.
1. The scope and level of protection should be specific and • Trust models must encompass people/organizations and de-
appropriate to the asset at risk. vices/infrastructure.
• Business demands that security enables business agility and • Trust level may vary by location, transaction type, user role,
is cost effective. and transaction risk.
• Whereas boundary firewalls may continue to provide basic 7. Mutual trust assurance levels must be determinable.
network protection, individual systems and data will need to
• Devices and users must be capable of appropriate levels of
be capable of protecting themselves.
“mutual” authentication for accessing systems and data.
• In general, it’s easier to protect an asset the closer protection is
• Authentication and authorization frameworks must support
the trust model.
2. Security mechanisms must be pervasive, simple, scalable, and
Identity, Management, and Federation
easy to manage.
8. Authentication, authorization, and accountability must inter-
• Unnecessary complexity is a threat to good security.
operate/exchange outside of your locus/area of control.
• Coherent security principles are required which span all tiers
• People/systems must be able to manage permissions of
of the architecture.
resources and rights of users they don’t control.
• Security mechanisms must scale; from small objects to large
• There must be capability of trusting an organization, which
can authenticate individuals or groups, thus eliminating the
• To be both simple and scalable, interoperable security “build- need to create separate identities.
ing blocks” need to be capable of being combined to provide
• In principle, only one instance of a person/system/identity
the required security mechanisms.
may exist, but privacy necessitates the support for multiple
3. Assume context at your peril. instances, or one instance with multiple facets.
• Security solutions designed for one environment may not be • Systems must be able to pass on security credentials/
transferable to work in another. Thus it is important to under- assertions.
stand the limitations of any security solution.
• Multiple loci (areas) of control must be supported.
• Problems, limitations, and issues can come from a variety of
Access to Data
sources, including geographic, legal, technical, acceptability of
9. Access to data should be controlled by security attributes of
the data itself.
Surviving in a Hostile World
• Attributes can be held within the data (DRM/Metadata) or
4. Devices and applications must communicate using open,
could be a separate system.
• Access/security could be implemented by encryption.
• Security through obscurity is a flawed assumption – secure
• Some data may have “public, non-confidential” attributes.
protocols demand open peer review to provide robust assess-
ment and thus wide acceptance and use. • Access and access rights have a temporal component.
• The security requirements of confidentiality, integrity, and 10. Data privacy (and security of any asset of sufficiently high
availability (reliability) should be assessed and built in to value) requires a segregation of duties/privileges.
protocols as appropriate – not added on. • Permissions, keys, privileges, etc. must ultimately fall under
• Encrypted encapsulation should only be used when appropri- independent control, or there will always be a weakest link at
ate and does not solve everything. the top of the chain of trust.
5. All devices must be capable of maintaining their security • Administrator access must also be subject to these controls.
policy on an untrusted network. 11. By default, data must be appropriately secured when stored,
• A “security policy” defines the rules with regard to the protec- in transit, and in use.
tion of the asset. • Removing the default must be a conscious act.
• Rules must be complete with respect to an arbitrary context. • High security should not be enforced for everything; “appro-
• Any implementation must be capable of surviving on the raw priate” implies varying levels with potentially some data not
Internet, e.g., will not break on any input. secured at all.
APRIL 2008 63