This short article will focus on Network and Perimeter Security and the reason it’s so important. First, it’s important to emphasize that will Network Perimeter security is important defense in depth in necessary to truly secure a network. You don’t want to put all your eggs in one basket. If you think that by having a good firewall you are secure, you should think again, and then hire some experts to help you implement a solid defense in depth strategy tailored to your environment.
The first entry point into a network from the OUTSIDE is from the Firewalls or Perimeter Defenses. I am emphasizing outside, because some studies have shown that up to 80% of breaches involve some insider activity weather malicious or not, a default password on a router or appliance, a noncomplex admin password or a default admin user name, are some examples. At the same time, you can’t just leave the gates to the city wide open, you need to block probably quite a bit of activity if you have even a small to medium sized organization.
The perimeter is where you would for example block incoming traffic such as that having malformed TCP/IP Packets which could potentially be DDOS types of patterns, or grunt, jumbo frames or other malicious activity that you don’t want coming in.
The more traffic you block the safer you are but with a caveat, if you block everything people won’t be able to work, and the company will be out of business which means you haven’t done a good job. If you must allow certain traffic, for example web traffic from an APAC or Eastern Bloc Country you can setup compensating controls, such as only allow it from an authorized VPN connection from a corporate device and a domain user. Additionally, you could setup 2 factor or even Multifactor Authentication. There are further controls which can be helpful.
The VPN traffic could be restricted to only certain VLANS, not the whole network, so that if the account was compromised the attacker would only have a very limited access to the domain. Segregation of duties would also help especially if this was a privileged account as any compromise of the account would not have ROOT or Enterprise Admin access to the entire Domain.
The important thing to do is to block as much as you can while allowing business to flow and keeping the business happy. External traffic should definitely not be allowed on an internal server, especially a Domain Controller. This also applies to Security Appliances and Network Devices themselves.
You can obviously perform deep packet inspection on all traffic before allowing it in. Certain applications which in the past have proven to be problematic on corporate networks due their origination of phishing traffic or malware can also be blocked like Facebook. If you have a Network Level DLP System you can also block drop box traffic but this can very easily be handled as well by a Layer 7 or Application Level Firewall, however the DLP is very beneficial as it has increased functionality and is a dedicated appliance.
The perimeter controls what comes into the network and what traffic can be allowed out and as such is a critical piece to the entire Defense in Depth Architecture of a solid security program. Perimeter security must be complemented and is not an all powerful solution in and of itself. Don’t be fooled into thinking that a strong firewall by itself will keep you safe, having a strong firewall and build multiple layers of security and you will be have a strong security posture.