A Silent Wake for the Network Perimeter Model
by Ron McFarland, PhD, CISSP
For many years, security experts have touted various models of network security based on a defensible network perimeter. Initially, the network perimeter (aka perimeter-based security) was fairly basic and provided a rudimentary level of security between the external/unmanageable Internet and a company’s internal/manageable IT environment. To enhance network security, the more elementary DMZ (Demilitarized Zone) network model evolved into a layered architecture and included many iterations over the past 20 to 30 years. In early 2005, the SANS Institute published an article entitled “Design Secure Network Segmentation Approach” (Alateeq, 2005), that spoke to a layered approach for network security. The layered approach included four primary segments that would isolate traffic to ensure better control and security within a SOHO environment or small organization’s network infrastructure. The layered model for the SOHO and small business environment was a boon to network security and was in contrast to what was done with segmentation of services by larger organizations of the time. The network security segmentation and the security functions identified by Alateeq (2005) were described as:
1. Outside Network: The first layer in this network architecture was described as the Outside Network by Alateeq (2005). The Outside Network, in general, is the Internet segment, which is described as the environment that cannot be controlled by the organization.
2. Services Segment: This segment provided the organization’s initial isolation between the Internet and the first segment of control within the organization’s control. Ingress and egress of network traffic was done based on Firewall ACLs (Access Control Lists) that either allowed or denied traffic from/to the Internet into the Services Segment (e.g., the first layer) of the organization’s network Infrastructure. The Services Segment contains the organization’s assets that do not require a significant amount of security, such as a web servers and other assets that can be readily recovered without significant harm to any data or to the organization’s operations.
3. Internal Segment: This segment (e.g., the second layer) of the organization’s network infrastructure contains assets that require higher security than the Services Segment. The Internal Segment contains its own firewall device(s) that filter ingress and egress traffic that is transitioned from the Services Segment into the Internal Segment. In this layered architecture model, Alateeq (2005) suggests positioning user computers and servers that contain more sensitive data (such as the organization’s Intellectual Property, and employee Personally Identifiable Information), to isolate sensitive data away from the Outside Network (or the Internet).
To further define the network segmentation, specifically as it pertains to Network Security, Cisco Systems proposed several layered network architecture models for the “Evolving Data Center” for small, medium, and large organizations that included multiple layers (e.g. trust zones) to isolate network traffic to provide better filtering, functionality and security (Teare, 2007).
Later, Stawowski (2009) further defined a Network Security Architecture model by describing several variations to the layered architecture approach noted by the SANs Institute and Cisco Systems. The general model proposed by Stawowski (2009) included:
1. The Internet/WAN layer: this layer is the uncontrolled domain, where the organization does not have any control on the environment, but nevertheless, is identified for clarity in Stawowski’s (2009) model.
2. The Edge Services Layer: This first organization-controlled layer provides the initial ingress/egress traffic filtering, stateless inspection of ingress/egress traffic via ACLs, and additional perimeter security layers that filter and track traffic that flows in and out of the organization’s network.
3. The Core/Network Services Layer: This second organization-controlled layer provides additional filtering, including the core set of routers/switches that provide the data flow to other segments of the network. Stawowski (2009) further notes that this layer is more highly secured and contains the switching and routing to other zones within the network.
4. The Application and Data Services Layer: This third organization-controlled layer provides additional filtering and is the most secure layer in Stawowski’s (2009) model. The third layer in this model includes sensitive organizational data and other sub-zones like the Application Server Zone, the Database Server Zone, and other zones identified and defined by the network architect.
Each of these four distinct layers are managed by the Network Services group, which have specific rights and privileges to manage, monitor, and adjust the four layers to enhance the organization’s security posture and performance of the network. Stawowski (2009) further notes that the layered network architecture approach provides several essential elements critical to network security including:
1. Compartmentalization: Since the sensitivity of data varies based on the type of data being managed, segmentation provides the compartmentalization of data whereby additional filtering and monitoring of ingress/egress traffic can be done. This additional compartmentalization affords additional control, especially for highly sensitive organizational data.
2. Defense in Depth: The layered approach provides a defense in depth approach whereby an attacker will have to pass through increasingly more difficult layers of network protection afforded by the layered architecture approach.
3. Adequate Protection: Protections for each layer and zones within each layer can be crafted to protect against relevant threats based on the value of the data stored within each zone.
4. Least Privilege: To enter into each layer and into a zone within a given layer, the subject must have minimal privileges to specific IT resources to perform specific business tasks, providing additional complexity and difficulty to an attacker.
The layered architecture approach proposed by Stawowski (2009) provides further definition of multiple choke points in the layered architecture whereby access to specific network and data resources can be controlled through a limited number of defined communication channels. Further, the layered architecture approach for network security provides information hiding abilities, which affords security through obscurity and, since sensitive data can be placed in a given layer within a specific zone within the given layer, the attack surface is significantly reduced.
The Problems with the Perimeter-Based Security Model
Unfortunately, with perimeter-based and layered-based security, many organizations believe that if the boundaries are hardened enough and layered sufficiently, an attacker will have a difficult time in perpetuating an attack and, thereby, move on to another more amenable target. As noted in research, this belief stems from a historical perspective whereby the control of network systems are secured since they are constantly manned and monitored, and exist in protected environments (Kisner, R. A., Manges, W. W., MacIntyre, L. P., Nutaro , J. J., & Munro, J. K., 2010). It can be stated that due to the evolution and the resultant infusion of technology in the organizational environment, the perimeter model of layered network security is out-dated, fundamentally flawed, and inadequate for the agile and resilient organization. The perimeter-based security model deserves a wake.
The Death Kneel
Due to the infusion of new technologies, including the Internet of Things (IoT), the movement towards the Internet of Everything (IoE), Artificial Intelligence, and the preponderance of user devices available to attach to networks, perimeter-based security model has become outdated and has unequivocally failed to secure businesses in both the private and public sector (Cunningham, 2020). This may have been the final death kneel to the perimeter-based network model.
With the evolution of the Bring Your Own Device (BYOD) movement, there is essentially no more definitive network perimeter (Goddard, 2019). Also, consider the work-at-home evolution of today’s work environment, which has broadly led to poor control on administrative rights and roles of hardware and software (Cunningham, 2020). In the work-at-home environment, it is not uncommon for those who live in the home environment (e.g., children, spouses, partners, and guests) to use and share a computing device. As a result, there is usually no general control for software downloads, website visits, or system operational controls for a home computer (Cunningham, 2020).
The cross-connection between Virtual LANs (VLANs), the use of consumer-grade networking hardware, ineffective or default subnetting that are present on the home-based environment allow the proliferation and facilitation of malware within the home environment and any connected (e.g., organizational) environments. For the attacker, the home environment may be an easy entry point to access an organizational system.
Further, if an organizational computer (a laptop, for example) is taken home and connected to a home environment, if not configured properly, the organizational computer may be subjected to security concerns. While many organizations may be compliant with a given set of cybersecurity standards like HIPPA, PCI/DSS, DFARS, etc., there is often a myriad of systemic technical failures (such as excessive privileges, poor network segmentation, inadequate permissive access, and failed data security governance) in conjunction to poorly implement organizational policies, procedures and practices that can subject an organization to an attack.
Holes in the technology
While this article is not meant to be a compendium of hackable traits and vectors for an organization’s network, it is well known by security administrators and hackers alike that there are significant ‘holes’ in both software and hardware technology. Let’s discuss a few of the more well-known issues in this section. Generally, organizations rely on a VPN (virtual private network) as a method for securing remote access for users in the home environment or for BYOD devices and other devices that they connect to an organization’s network environment. Keep in mind that VPN technologies were invented in the 1990’s and are generally no more than applications that leverage tunneling protocols to encrypt and transmit data to/from the source computer to a target system. Hacking VPN networks involves commonly known attacks whereby attackers can either steal the encryption key through known and published vulnerabilities or can steal the key through an unethical attack (such as a Man-in-the-middle, or MITM, attack) that can be readily invoked by an attacker.
In addition to VPN issues, application security issues proliferate. Many organizations use software that was developed 30 or 40 years ago, when network security was not a concern. Also, for many current-day software development team, the lack of understanding of security is all to prevalent. While the use of a secure software development methodology is widely known, the Ponemon Institute (2016) reports that over 40% of software development firms in their study did not even scan code for vulnerabilities prior to deployment, presenting an additional layer of security concerns for organizations. There was little change noted in the Ponemon Institute’s research in 2020, indicating that this is a persistent issue among software vendors. Networks, as a result, continue to be at risk due to poor application development processes.
NOTE: For additional information about security issues in the software development process, please see my article entitled “Cybersecurity through the Software Development Life Cycle” at this link: https://highervista.medium.com/cybersecurity-through-the-software-development-lifecycle-e4c06d4d6984. In addition, I published another related article that may be of interest to you entitled “Data Leakage & Application Programming Risk Mitigation at this link: https://highervista.medium.com/data-leakage-application-programming-risk-mitigation-14de9f44f738.
In addition to software issues, poor password policies are noted as one of the top five security concerns by the SANS Institute (Pescatore, 2019). Consider that almost every user and every device may use a password at one point in the process of authentication. In addition to poor password administration for users, default device passwords on many hardware devices in an organization or in the home environment are never changed. Think for a minute about the off-the-shelf network devices that are customarily purchased by the home user for consumer-grade networking hardware. Default passwords for many/most hardware devices are widely published on the Internet and on the Dark Web. And, often, these passwords are never changed, especially within the home environment.
In addition to the more common network devices, the Internet of Things (IoT) devices have proliferated in both the home and the organizational environments. Over 24 billion IoT devices were connected to the Internet as of 2020 (Makkar, Garg, Kumar, Hossain, Ghoneim, and Alrashoud, 2020). Keep in mind that each of these IoT devices typically have a (default) password (e.g., is the password well-known and published?) and are either app-enabled or web-enable (e.g., is the software secure?). One of the most significant issues with IoT devices is that many are manufactured with a cost-first consideration over security as a primary focus. This leads to many devices without adequate on-board security or implemented with older technology with known security vulnerabilities, especially when the manufacturer of the IoT device is focused on providing an IoT device for less cost than other device competitors. The technologies used by IoT manufacturers, such as ZigBee, NFC (Near-Field Communications), and cellular connections have known vulnerabilities.
The Problem with Training
I’m a big fan of good cybersecurity training. But currently, many security standards rely heavily on user and network administrator training. It may be an overreach in methods for securing a network, as training users to identify malicious behavior in a system will vary from organization to organization. Even within an organization, with all user training considered equal between all system users, the human response from person to person or even day by day will drastically vary. The heavy reliance on security training may be ill-placed and ultimately has shown to be overly ineffective in some security settings. For example, in organizations that provide continual training about clicking on links from an unknown or suspicious source, there is still a persistent 3 to 5% click rate for highly trained organizations (Cunningham, 2020).
The Outmoded Perimeter-based model
The perimeter-based model, which includes a variety of segmented security models including those noted in this article, is woefully inadequate. The perimeter-based model was a significant evolution for an organization’s security posture in the early-2000s but given the proliferation of newer technologies and the advent of the work-at-home evolution, the perimeter-based model provides inadequate security for the organization.
In subsequent articles, we’ll discuss solutions to the outdated and outmoded perimeter-based networking model. Segmentation is still viable, but there are better ways to implement network security that do include segmentation, zero-trust architecture, and other techniques that will allow you to sleep a bit more at night. There are several solutions and, frankly, none present a simple fix. See you in the next article.
References
Alateeq, I. N. (2005). Design secure network segmentation approach.
Cunningham, C. (2020). Cyber Warfare — Truth, Tactics, and Strategies. Van Haren Publishing. Goddard, W. (2020, December 17).
Goddard, W. (2019). History of IoT: What It Is How It Works Where It’s Come From and Where It’s Going. ITChronicles.
Makkar, A., Garg, S., Kumar, N., Hossain, M. S., Ghoneim, A., & Alrashoud, M. (2020). An efficient spam detection technique for IoT devices using machine learning. IEEE Transactions on Industrial Informatics, 17(2), 903–912.
ChicagoStawowski, M. (2009). Network security architecture. The Global Voice of Information Security, ISSA Journal May.
Teare, D. (2007). Designing for Cisco Internetwork Solutions (DESGN) (Authorized CCDA Self-Study Guide) (Exam 640–863). Pearson Education.
Pescatore, J. (2019). SANS top new attacks and threat report. Available at https://www.sans.org/white-papers/38908/
Ponemon, L. (2016). Ponemon Institute cost of a data breach study.
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications. Dr. McFarland can be reached at his CMTC email address: rmcfarland@cmtc.com
