Defense in Depth Layer 3: Perimeter Security

“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place, be transported halfway across the planet in seconds, and be stolen without your knowledge.” — Bruce Schneier

Image retrieved from v3.co.uk

The perimeter of the network is the part that touches the outside world.  Therefore, it is essential to strengthen defenses along the edges of the network to promote comprehensive protection.  The perimeter is the network's border where data flows in from, and out to, other networks, including the Internet.  Perimeter defense allows authorized data to enter while blocking suspicious traffic, and it is handled by several different components, outlined below.

1. Border Router
The border router is the last controllable router before an untrusted or external network, e.g. the Internet.  Since all Internet traffic passes through the border router, it is a practical place for filtering.  It is the first and last line of defense.

2. Demilitarized Zone (DMZ)
A DMZ is a small network that provides public services with low security.  It is a neutral area that is created outside the firewall between a company’s network and an external network, e.g. the Internet.  Web servers, for example, would not be protected by firewall because of the traffic it generates or that needs less protection.

3. Firewall
A firewall is a chokepoint device that decides which traffic is permitted and which is denied.  For perimeter defense, firewalls are available as software (installed inside a router) or as standalone hardware appliances.  A firewall can provide services such as the following:
-Stateful packet inspection – analyzes transactions to ensure inbound packets were requested
-Packet filtering – blocks data from specified IP addresses and ports
-Network Address Translation (NAT) – presents a single IP address representing multiple internal IP addresses to the outside world.

4. Intrusion Detection System (IDS)
An IDS is an alarm system that detects malicious and suspicious activities by analyzing network traffic.  If something unusual is detected, the IDS alerts the network administrator to take action to stop the event.  A network-based intrusion detection system is referred to as a NIDS.

5. Intrusion Prevention System (IPS)
An IPS is similar to an IDS, except that the IPS takes automatic and immediate defensive action without requiring action by the network administrator. 

6. Virtual Private Network (VPN)
A VPN provides perimeter security by encrypting the data sent between a business network and remote users over the Internet.  This creates a private tunnel through the Internet.

Perimeter defense measures are designed to fortify the network boundary.  While the components listed above do not constitute an exhaustive list, they give us an idea of what is required for perimeter security.  Once again, it is easy to see how this layer is actually layers within a layer.  These different technologies work in unison to create a protective barrier.  

Next time, we will discuss the internal network layer. 

Thanks for reading!

Jen