Logo iPass
 
Header Image
 
«
»

Redefining the Corporate Security Perimeter

Friday, March 19th, 2010

While visiting the 2010 RSA show, I had an opportunity to listen to Palo Alto Networks Founder and CTO Nir Zuk, presenting on the next generation of Firewall appliances. In essence what Nir was suggesting in his presentation, is that “traditional” Firewalls (i.e. any non Palo Alto Networks firewalls) can be replaced by a cable without significant implications on corporate network security. The key argument is that the traditional 5-tuple (protocol, the source and destination port numbers, and the source and destination IP addresses) firewalls don’t have enough context and intelligence to protect against most common attacks.

To illustrate his point, Nir referenced peer-to-peer applications which may open pinholes in Firewalls, using ports 80 and 443 for example (which are assigned by IANA to HTTP and HTTPS respectively), and since the traditional Firewalls don’t have the heuristic ability to identify the specific applications running on any given port (e.g. they could not distinguish between eMule and HTTP using port 80), they will not be able to protect against attacks through pinholes on these ports.

And indeed peer-to-peer applications allow participants to make a portion of their resources (including shared files) directly available to other network participants, without the need for central coordination. This exposes corporate users of popular peer-to-peer applications, such as BitTorrent, Napster, and eMule, to risks of compromising confidential data and files on their corporate devices.

Nir’s conclusion is that in order to protect against this type of risks, the next generation Firewall is required to identify specific applications regardless of IP or port number, identify the user, and understand the intent to use or abuse the application.

As I was listening to the problem description and the proposed solution, one question came immediately to mind. What would be the corporate perimeter that this next generation Firewall can protect? As more applications move to the cloud, the corporate perimeter is being redefined.

It is obvious it can no longer be limited to the corporate intranet, since SaaS applications reside in the cloud, but how would you include both the cloud and the intranet as part of the redefined corporate security perimeter? This can be accomplished by defining the aggregation of all the corporate endpoints as the new security perimeter for the enterprise. Since based on this definition the endpoints become part of the redefined security perimeter, access policy control mechanism, such as the one offered by the Open Mobile Client (OMC), would play an important role in securing this perimeter.

So how can OMC enforce access control policies to the redefined perimeter for applications that manage to evade traditional Firewalls? The answer is that the OMC meets the fundamental requirements of application identity, user identity and user intent awareness, similar to what is expected of the next generation Firewalls.

The OMC understands the identity of all the applications running on the mobile device, it knows the identity of the user who needs to be authenticated before a connection is established, and it is aware of the intent of the user to launch a specific application as well as the network connection type (corporate LAN, home or public network). It is therefore possible, for example, to use the Open Mobile ECA (Event, Condition, Action) engine to enforce policies for disabling specific peer-to-peer applications when accessed from home or public networks, while allowing use of some of them when behind the corporate Firewall (yes – assuming the Firewall can indeed protect against misuse of peer-to-peer applications).

So as more applications move to the cloud, the enterprise perimeter is being redefined as the aggregate of all corporate endpoints. As such, the endpoints will play an increasingly important role in securing the new security perimeter. Endpoint software access control tools, such as the OMP ECA engine, empower IT security professionals to accomplish this task effectively.

——
To see this in action, see our quick demos on how Mobile Control is used to develop and enforce security, cost, and compliance policies around the state and use of mobile devices and connections, and how Mobile Insight provides a deep level of reporting and analysis on usage across all networks and all devices.

Or read our Solution Brief.

Tags: ,
 

Comments are closed.

SUBSCRIBE