Security isn't just about hardening your internal network protection. Your perimeter networks also need security reviews and updates regularly. Whether it's a DMZ, a wireless access point or just an external network connecting to your core domain, you need to ensure that your employee and customer data are safe.
What is the Perimeter Network and Why You Should Care
As a business owner, you probably understand your internal network but you don't have a strong understanding of the perimeter network. Perimeter networks are usually reserved for small, growing businesses. Cloud hybrids can create a perimeter network, and in this case, many cloud hosting contracts cover security. However, you should always have a security team or audit to ensure that every part of your IT infrastructure has the best defense against attackers.
The perimeter network is an extension of your internal network. Think of your IT infrastructure as an onion. An onion has several layers that extend from the internal core section. The internal core of your IT infrastructure is surrounded by several layers, and each layer gets closer and closer to the outside. When you talk security of your network, as you keep progressing outward from the core, your network must be secure from the outside and security must be efficient to protect from the public cloud.
The core is where your sensitive, private data is contained. The perimeter is the outside layer that is less secure (in some cases), but it's also under your supervision and control so you must ensure that its data is not entirely accessible by the public Internet. Think of the Internet as the least secure and outside layer of your own network.
A good example of a perimeter network is the DMZ. A DMZ is a layer between your core internal system and the Internet. It's mostly used for web services such as hosting your own website and API that works with your internal network.
Because the DMZ allows the general public to view your website or interact with your API, it does not have rock solid security compared to your internal network. You need to block all incoming traffic to your internal network but allow this traffic to access web services. This is your perimeter network. You can't allow full access from public traffic, but you also can't lock down the network like you can an internal network.
Your organization likely has several layers of infrastructure and technology, and this is why it becomes a challenge for your IT team to properly configure your network resources.
When you work with security and infrastructure, you might have one or several vendors. The number of vendors doesn't truly matter. What matters is that these vendors are able to offer you the right security and resources that allow your business to grow and protect customer data. If you allow this segment of your network to go unmonitored, you potentially create risks to your sensitive internal network.
What Type of Equipment is Needed for the Perimeter?
Usually, a growing organization starts with a secure private network and extends its visibility to the perimeter using infrastructure such as a DMZ. To add a perimeter, you need the right equipment. Again, this can be the same vendor or multiple different vendors but they must offer the right resources. Sometimes, the same vendor is more convenient because it's easier to configure vendor hardware to interact with each other. For instance, having Cisco-based switches and routers make it more convenient since commands and technology are the same across the board.
As with your internal network, you need border routers for your perimeter. If you already have an Internet connection through your ISP, then you have a router that connects the public Internet to your internal network. If you offer wireless access points, you already have a router for this perimeter as well.
After you determine your infrastructure, you will need border routers to connect the different segments of your perimeter, internal and external network. These routers will need tight configurations to avoid allowing traffic from unknown sources. This includes the Internet and resources external to your core LAN.
Firewalls are essential to your security. Most organizations choose to keep the same vendor across the network because it makes it easier to configure and any updates to firmware or software are accessible from one location. These systems must be constantly reviewed and updated, so using the same vendor reduces the chance that your system is left vulnerable due to poor security reviews.
This can also have a disadvantage. If a major vulnerability is found in a particular vendor's firewall system, it makes your entire network vulnerable instead of only one segment.
There are several firewall vendors on the market. Many organizations work with Cisco if they also have Cisco routers installed.
Intrusion Detection Systems (IDS)
Firewalls are great for blocking external traffic from accessing your site. You can even set up proxies to limit areas of the web that are inappropriate for work browsing. Limiting parts of the web will reduce the chance a user will unintentionally install malware on the network. This is essential for security, but what happens when your perimeter is breached and the attacker is able to gain access to the core network? This is when an IDS is useful.
An IDS will monitor traffic as it traverses your network. There are two types of IDSes: network based and host based. Most organizations have at least one type installed on their network. This security measure evaluates traffic for common malicious signatures.
A network-based IDS (NIDS) is placed directly on your subnet to monitor traffic as it passes through the firewall. If the traffic contains common malware properties, then you can configure the IDS to send alerts. These alerts can range from an email to a text message, but the notification option must be a party of the vendor's product. Just make sure the alert system you need is included with the system you purchase.
The other option you have is a host-based IDS (HIDS). This system monitors each host or node on your network. This type of IDS is useful when detecting internal threats. These threats are sometimes disgruntled employees or completely unintentional. Think of the employee that accidentally falls for a phishing attempt or installs malicious content on the network. An HIDS will be able to detect suspicious traffic from the host. This includes malware silently installed on a server and used for malicious purposes on a perimeter network.
Intrusion Prevention Systems (IPS)
An IDS monitors the network for suspicious traffic, but an IPS will actively stop suspicious traffic from traveling across your infrastructure. Think of an IDS as your alarm system should an intruder access your network. An IPS is the lock on your door that stops them from accessing your infrastructure altogether.
The issue with an IDS is that it just monitors, but it does not automatically stop malicious traffic. With an IPS, you can stop malicious traffic in its tracks.
You can think of an IPS as a firewall with the extended components of an IDS. The system reviews traffic on your network, analyzes it for any known signatures, and then blocks the traffic should it determine that it poses a threat.
Do Your Employees Need Remote Access? You Need VPNs.
Virtual Private Networks (VPNs) are remote connections from your employees. The VPN router is in the perimeter network and traffic is forwarded to your core network. These connections should be heavily monitored with your firewalls, IDSes and IPSes. The connection between the remote client host and the internal core network is encrypted, which is necessary for private data passed across the Internet.
VPNs provide privacy for your users, and it's also a requirement for compliance. If your organization deals with any financial or healthcare data, you must use a VPN as a remote connection resource. In many cases, the VPN limits the IP addresses that can connect remotely to the VPN router and server.
You don't need to use the same vendor for VPN as the rest of your security systems. Your firewall and routers configurations are much more convenient when you have the same vendor, but most VPNs are configured independently from the internal network. This means that there is no direct configuration between the two systems that can be made easier if the systems are the same vendor.
The Key to Perimeter Network is Security Not Vendor Choice
You can choose any vendor for your perimeter infrastructure design. Many of the big vendors offer enterprise contracts for full support and easy ordering. You still need external support at some point, because vendors will only help with their own equipment and not the myriad of equipment installed on your network.
Some systems are more convenient should you use the same vendor such as firewalls and IDS. However, you can still integrate different vendors should you find that you prefer one over the other. The main component of security is your configurations, regular reviews of your systems to address risks, and frequent updates of software and firmware across all nodes.