1 - PERIMETER SECURITY

It’s worth considering the literal, dictionary definition of a perimeter, viz: “the continuous line
forming the boundary of a closed geometrical figure”. Worldly examples of a “perimeter” are:

 The Great Wall of China – robust enough (allegedly) to be seen from space.
 The GCHQ building in Cheltenham - shaped like a doughnut with the maximum
area contained within the minimum-sized external wall.
 The Robin in winter – puffing its mass into a fluffy ball-shape with the minimum
surface area for a defined mass or volume, thus reducing body heat loss …
clever!

Well, you can’t say clearer than that – yet a perimeter is so difficult to define in IT security
terms, with, for example, “trusted relationships” between networks, wi-fi, cloud services, etc.
Where does the boundary start and end?

Perimeter security comprises those preventive control devices that perform the very
welcoming functions of “deter, detect, delay and deny”. These range from basic passwords
to complex firewall pattern analysis but all are designed to sort the “good guys” from the “bad
guys” in today’s highly techno-savvy society and to grant access only to those who are
authorised to have it and who can prove that they are authorised to have it.

1. Define your perimeter (Preventive control)

You cannot protect anything until you know what it is you want to protect. Based upon a risk
assessment (impact vs likelihood), determine what your system boundary of responsibility
should be, what should be inside it, what should be outside it and to what degree you want
to defend it from theft, confidentiality breach and corruption arising from unauthorised
external access.

2. Use strong passwords to access systems or networks (Preventive control)

See under the “Access Authentication” section of this website

3. Deploy firewalls between your network/PC and an unsafe network (Preventive

control)
A firewall is a protective device that controls ingress (or egress) of information or data to and
from your network or PC and it works in exactly the same way as its real-life, physical
counterpart (i.e. preventing the spread of flames from one combustible area to another).

Firewalls can be implemented for many reasons, most of which deal with malicious software
or hacking.

For example, they can be designed to:

 prevent loss or leakage of confidential information to hackers (e.g. by preventing

access to internal IP addresses);
 prevent the introduction of malicious software, such as Trojans, on to your systems;
 detect and defend from denial of service attacks, designed to bombard your system
with so much apparently credible input that it has to be shut down.
They can also take several forms. For example, software firewalls, extensively configurable,
can be built into a PC or web server, while hardware firewalls are not so easy to configure
but ensure that adverse content never reaches your critical systems in the first place.

Firewalls can be established in their own right but are often configured within network routers
in terms of restrictions on and use of internet protocol (IP) ports.

4. Deploy firewalls within your network (Preventive control)

There will often be a need for logical segregation of security or function within an
organisation and its network, especially to isolate sensitive network components.

For example, there should be no valid reason why anybody outside the payroll function
should have access to the systems information therein, while stored payment card details,
on systems used for business transactions, should similarly be secured against any non-
authorised access (at the very least to comply with the mandatory provisions of the Payment
Card Industry Data Security Standard).

Firewalls have their part to play in such network security configuration, usually in association
with component IP addresses and/or user access privileges (security profiles).

5. Consider firewall rules carefully (Preventive control)

Firewall “rule sets” can range from very simple to extremely complex and should be carefully
devised and, in the business arena, formally approved and implemented under strict change
management.

The most simple firewall rule set is “deny all unless specifically permitted” - full stop!

This is an extremely effective protective mechanism, because it prevents any data packets
from crossing the firewall. The downside of this is that the organisation can get no
information in or out, so is somewhat impractical as a business model.

However, it is the best place to start when developing the security model from the ground up,
so to speak, because access rights can be granted in a careful and controlled manner from
that point. It can allow, for example, data ingress from a particular business partner IP
address or trusted systems (like www.bbc.co.uk ) by identifying their IP addresses as
permissible.

The “deny all” protocol takes time to establish properly and requires constant review, but it is
nevertheless the most secure approach, being based upon the principle of “least privilege”
where users or IP addresses have only the access rights that they need.

6. Subject your network to a penetration test (Detective control)

Also known as “ethical hacking”, penetration testing is the process of trying to access the
internal resources of an organisation’s network from a point outside their network gateway,
either to prove whether “secured” information can be viewed, copied (stolen), deleted or
simply corrupted.
This complex and technically-demanding process is usually carried out by a proficient (and
trusted!) third party and is a compliance requirement of the Payment Card Industry Data
Security Standard (PCI DSS - see section 9, “Compliance with confidentiality laws and
regulations”)

Testing is not necessarily restricted to a technological box of tricks attached to the

telecommunications cabling (or placed in the Wi-fi vicinity) of a network. More human means
can also be utilised, such as the sinister-sounding “social engineering”, whereby a tester
poses as an authorised visitor (such as a premises maintenance worker or meter reader),
“blags” their way through whatever passes for premises security, and tries to access
organisational information purely by looking like they belong and hoping that no-one will
challenge them.

The sobering upshot of all this is that if someone you trust can get in, with no internal
assistance, then so can one of the “bad guy” boffins of society!

7. Deploy a proxy server between internal and external network resources (Preventive
control)
A proxy server, or “proxy”, is a hardware or software system that sits between one network
and others acting as an intermediary for requests from the external networks (presumed, by
default, to be hostile in this context) seeking resources or information from its host servers,
but that can also be deployed for the protection of “outbound” data traffic. It usually
comprises a gateway between a home network and the internet, but can be a simple
protective device between networks within an organisation.

The “external” requestor connects to the proxy server, requesting a service that is to be
provided from the “internal” computers. This may be, for example, a file, or URL (web page).

The request is analysed and evaluated by the proxy, based upon a pre-determined set of
criteria (that will include a “catch all” provision for rejection by default, with appropriate
message, if no satisfactory transfer can be achieved).

If the request is validated, the proxy retrieves the necessary “internal” resource and returns it
to the requestor. At no point will the external IP address that has submitted the request be
connected directly to the internal IP address of the resource server. Dealings will only be at
the proxy level, to preserve necessary internal anonymity, e.g. of IP addresses.

8. Use an Intrusion Detection System (Detective control)

An intrusion detection system (IDS), the logical companion to the firewall, is designed to
recognise when an exceptional security event has occurred, especially an adverse one, so
that event notification is prompt enabling remedial action to be taken quickly, if necessary.

An analogy can be drawn between an IDS and a (monitored) domestic burglar/fire alarm
system, whereby an activation of the armed system, during the absence of the home owner,
will produce both an audible alert and a notification to a monitoring centre who can request
the intervention of the police or fire brigade.
Care needs to be taken in establishing an IDS since, if sensitivity settings are incorrect,
“false positives” (events signaling an IDS to produce an alarm when no attacks have taken
place) can occur involving unnecessary investigation and possibly interruption to normal
processes. Extending the burglar alarm analogy above, a spider crawling across a motion
sensor can kick it off … so keep up with the housekeeping and vacuum the webs away
regularly!

9. Maintain a log of perimeter activity (Detective control)

There are many reasons for keeping track of transactional and network traffic activity within
and across system boundaries, e.g.:

 Monitoring system usage for future capacity planning

 Assessing patterns of access by particular IP addresses that can be either
encouraged or blocked according to desirability or threat
 Identifying potential (distributed) denial of service (DDOS) attacks
 Gathering data harvested from devices such as audit policies or IDS (described
above)
 Assimilation and retention of reliable information as evidence for compliance or
legal action.

Thus, it is a very good idea to configure event logs on firewalls, gateways, etc. and to ensure
that they are (a) large enough to store sufficient information for their purposes, and (b) saved
and archived before being overwritten by further events.

10. Establish a suitable access banner at the system perimeter (Deterrent control)
Unauthorised access to computer programs or data was defined as an offence under the
Computer Misuse Act 1990, later amended and strengthened by the Police and Justice Act
2006.

However, it is initially down to the potential victims of hacking to do what they can to mitigate
the threat and some of these concepts are described above.

However, if an unauthorised intruder, before entering network resources, has had to

acknowledge that only authorised access is permitted, then the victim is in a stronger
position when it comes to bringing an identifiable intruder to justice.

Although most hackers will not come in the “front door”, it can do no harm to place a website
or network banner at the point of entry, requiring the terms and conditions of which to be
technologically accepted by all who enter.

The wording of the banner may need to be scrutinised by a lawyer to ensure it is as

watertight as possible.

Nevertheless, there should also be a facility to ensure that people who need remote access
can get it in an authorised manner.

Useful references:
 The Information Security Forum’s “Standard of Good Practice”, similar to ISO27001, is
available from https://www.securityforum.org/?page=downloadsogp

 Firewall rules: http://technet.microsoft.com/en-us/library/dd421709(WS.10).aspx

 Penetration testing:
http://www.sans.org/reading-room/whitepapers/testing/penetration-testing-financial-
services-industry-33314

 Intrusion detection systems:

http://www.sans.org/security-resources/idfaq/what_is_id.php

 Payment Card Industry Data Security Standard:

https://www.pcisecuritystandards.org/security_standards/documents.php