Is is a common misconception that the deperimeterization of networks means that you need to throw out your current edge security devices, assign public addresses to all your machines, and throw away all your router ACLs and allow all inbound and outbound traffic to and from your corpnet to go uninspected and unchallenged.

Instead, deperimeterization is all about recognizing that there are now multiple perimeters; you need to identify your multiple perimeters and assign network security resources to each of those perimeters as appropriate. The “internal” versus “external” characterization of network security zones is no longer considered a viable framework on which to base network security decisions.

It should be well understood by all in our industry that you cannot trust the corpnet any more than you can trust the Internet. True, there is a much larger “attacker surface” on the Internet. However, while the “attacker surface” on the corpnet is much smaller compared to the Internet, the potency and potential for damage of insider attacks negates the relatively smaller attacker surface area.

In his article The “De-perimeterization” of Networks, Ido Dubrawsky does an excellent job at explaining with deperimeterization isn’t and what it is, and how you should take advantage of new technologies, such as the Microsoft Intelligent Application Gateway 2007 (IAG 2007), to meet the challenges of securing an increasingly deperimeterized network environment.

You can find Ido’s article at:

http://technet.microsoft.com/en-us/library/cc512604.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)