Professional Documents
Culture Documents
It’s worth considering the literal, dictionary definition of a perimeter, viz: “the continuous line
forming the boundary of a closed geometrical figure”. Worldly examples of a “perimeter” are:
The Great Wall of China – robust enough (allegedly) to be seen from space.
The GCHQ building in Cheltenham - shaped like a doughnut with the maximum
area contained within the minimum-sized external wall.
The Robin in winter – puffing its mass into a fluffy ball-shape with the minimum
surface area for a defined mass or volume, thus reducing body heat loss …
clever!
Well, you can’t say clearer than that – yet a perimeter is so difficult to define in IT security
terms, with, for example, “trusted relationships” between networks, wi-fi, cloud services, etc.
Where does the boundary start and end?
Perimeter security comprises those preventive control devices that perform the very
welcoming functions of “deter, detect, delay and deny”. These range from basic passwords
to complex firewall pattern analysis but all are designed to sort the “good guys” from the “bad
guys” in today’s highly techno-savvy society and to grant access only to those who are
authorised to have it and who can prove that they are authorised to have it.
Firewalls can be implemented for many reasons, most of which deal with malicious software
or hacking.
Firewalls can be established in their own right but are often configured within network routers
in terms of restrictions on and use of internet protocol (IP) ports.
For example, there should be no valid reason why anybody outside the payroll function
should have access to the systems information therein, while stored payment card details,
on systems used for business transactions, should similarly be secured against any non-
authorised access (at the very least to comply with the mandatory provisions of the Payment
Card Industry Data Security Standard).
Firewalls have their part to play in such network security configuration, usually in association
with component IP addresses and/or user access privileges (security profiles).
The most simple firewall rule set is “deny all unless specifically permitted” - full stop!
This is an extremely effective protective mechanism, because it prevents any data packets
from crossing the firewall. The downside of this is that the organisation can get no
information in or out, so is somewhat impractical as a business model.
However, it is the best place to start when developing the security model from the ground up,
so to speak, because access rights can be granted in a careful and controlled manner from
that point. It can allow, for example, data ingress from a particular business partner IP
address or trusted systems (like www.bbc.co.uk ) by identifying their IP addresses as
permissible.
The “deny all” protocol takes time to establish properly and requires constant review, but it is
nevertheless the most secure approach, being based upon the principle of “least privilege”
where users or IP addresses have only the access rights that they need.
The sobering upshot of all this is that if someone you trust can get in, with no internal
assistance, then so can one of the “bad guy” boffins of society!
7. Deploy a proxy server between internal and external network resources (Preventive
control)
A proxy server, or “proxy”, is a hardware or software system that sits between one network
and others acting as an intermediary for requests from the external networks (presumed, by
default, to be hostile in this context) seeking resources or information from its host servers,
but that can also be deployed for the protection of “outbound” data traffic. It usually
comprises a gateway between a home network and the internet, but can be a simple
protective device between networks within an organisation.
The “external” requestor connects to the proxy server, requesting a service that is to be
provided from the “internal” computers. This may be, for example, a file, or URL (web page).
The request is analysed and evaluated by the proxy, based upon a pre-determined set of
criteria (that will include a “catch all” provision for rejection by default, with appropriate
message, if no satisfactory transfer can be achieved).
If the request is validated, the proxy retrieves the necessary “internal” resource and returns it
to the requestor. At no point will the external IP address that has submitted the request be
connected directly to the internal IP address of the resource server. Dealings will only be at
the proxy level, to preserve necessary internal anonymity, e.g. of IP addresses.
An analogy can be drawn between an IDS and a (monitored) domestic burglar/fire alarm
system, whereby an activation of the armed system, during the absence of the home owner,
will produce both an audible alert and a notification to a monitoring centre who can request
the intervention of the police or fire brigade.
Care needs to be taken in establishing an IDS since, if sensitivity settings are incorrect,
“false positives” (events signaling an IDS to produce an alarm when no attacks have taken
place) can occur involving unnecessary investigation and possibly interruption to normal
processes. Extending the burglar alarm analogy above, a spider crawling across a motion
sensor can kick it off … so keep up with the housekeeping and vacuum the webs away
regularly!
Thus, it is a very good idea to configure event logs on firewalls, gateways, etc. and to ensure
that they are (a) large enough to store sufficient information for their purposes, and (b) saved
and archived before being overwritten by further events.
10. Establish a suitable access banner at the system perimeter (Deterrent control)
Unauthorised access to computer programs or data was defined as an offence under the
Computer Misuse Act 1990, later amended and strengthened by the Police and Justice Act
2006.
However, it is initially down to the potential victims of hacking to do what they can to mitigate
the threat and some of these concepts are described above.
Although most hackers will not come in the “front door”, it can do no harm to place a website
or network banner at the point of entry, requiring the terms and conditions of which to be
technologically accepted by all who enter.
Nevertheless, there should also be a facility to ensure that people who need remote access
can get it in an authorised manner.
Useful references:
The Information Security Forum’s “Standard of Good Practice”, similar to ISO27001, is
available from https://www.securityforum.org/?page=downloadsogp
Penetration testing:
http://www.sans.org/reading-room/whitepapers/testing/penetration-testing-financial-
services-industry-33314