jericho 1 – de-perimeterization and the jericho forum commandments

Hoff recently struck a banner in the ground defending the Jericho Forum’s concept of de-perimeterization (alebit not the FUD version) and their commandments (pdf). I typically respect what Hoff has to say (when I understand the topic!), so I decided to stick my nose a bit deeper into the Jericho Forum’s position and commandments while trying to keep an open mind. I might just learn something!

First in my examination is checking out their front page which explains de-perimeterization. With such a bold placement, this better be the meat of their message; the why and the what. This also turns out to be the place people create first impressions. Let’s chunk this a bit.

today the traditional “firewalled” approach to securing a network boundary is at best flawed, and at worst ineffective. Examples include:

-business demands that tunnel through perimeters or bypass them altogether
-IT products that cross the boundary, encapsulating their protocols within Web protocols

-security exploits that use e-mail and Web to get through the perimeter.

This is stating the obvious, yup, business demands tunnel through barriers, products tunnel through already-trusted protocols, and there is insecurity inside the contents of those protocols. Nothing new here for anyone who has been in IT at any time in the last 10 years. Besides, isn’t this the point of internetworks, to share through barriers?

Of course, the point of these barriers is to let certain things through and not let others through. Just because a few holes are poked doesn’t mean the barrier is useless. If I put doors to my office with a card reader to slow down the press of bodies to get to work in the morning so my guards can keep a visual for suspicious people, should I get rid of those doors because I’m letting people through already? No.

The Jericho Forum has a point when it tackles tunneling “stuff” through the web protocols which are allowed anyway. I guess we can assume no perimeter devices will deeply inspect packets. But still, I see nothing here that truly suggest the “firewalled” approach is either ineffective or flawed, at least by today’s firewall standards.

IT IS DANGEROUS TO ASSUME THAT A SECURITY MEASURE MUST EITHER BE PERFECT OR IS OTHERWISE USELESS! That is the message I get when they call firewalls ineffective or flawed. This just means you need deeper inspection or layered defenses. It is dangerous to say we have a trend of de-perimeterization just because we allow talk between networks.

to respond to future business needs, the break-down of the traditional distinctions between “your” network and “ours” is inevitable

This is pure semantics and means nothing. It’s a literary method equivalent to taking a data set in statistics and making it paint a glass half full or glass half empty picture just by playing with the numbers. Besides, I don’t think anyone in any company *doesn’t* think about “their” network and “everything else.” There may be more “other” devices in “my” network these days, and vice versa, but so what? That’s not an argument for the disappearing perimeter, per se. It’s an argument for more defense in addition to the perimeter.

increasingly, information will flow between business organizations over shared and third-party networks, so that ultimately the only reliable security strategy is to protect the information itself, rather than the network and the rest of the IT infrastructure

This is true in a narrow scope, but again, there is still a line that can be drawn between the aforementioned “our network” and the “everything else.” This is obvious when speaking about what you own and what you don’t own. You can own the lines and cables and gear up to the demarcation for your ISP, at which point the ISP controls the rest. Has this changed and I didn’t realize it? Yes, business has to pump data over a third-party (the Internet, duh) and that information should be protected (duh). But that doesn’t imply the perimeter is disappearing. Maybe it is disappearing compared to 25 years ago when information stayed inside buildings.

This statement seems to imply that the only recourse is to protect information. This is great as long as we don’t need to ever use that information. Once we open that book that is usually locked in a safe, someone can read over our shoulder, snatch it from our hands, or spill something on it. This is not reality.

The Jericho Forum says this is the trend of de-perimeterization. No, this is a trend in needing defense in depth (depth as in layers or even depth as in deeper inspection at the perimeters). Sadly, defense in depth is a common phrase, and I think their reason for using a “new” term is entirely PR and marketing and to get noticed. Well, they have! 🙂

So let’s just assume they still have a valid point, and there is a need. I’ll buy that because I think that is true, and I really want to give them the benefit of the doubt. Next, I will take a look at their de-perimeterization solutions, also available on their front page.

jericho 1 – de-perimeterization and the jericho forum commandments
jericho 2 – the jericho forum and the de-perimeterization solution
jericho 3 – the first three commandments: the fundamentals
jericho 4 – commandments 4 – 8
jericho 5 – commandments 9-11
jericho 6 – my conclusions