Decades ago when we talked about network security the perimeter was very easily defined. The perimeter of a business used to be the front door or the edge of the carpark. Network perimeters however have been growing since the creation and expansion of the internet. At the start networks had a mainframe and terminals which were most likely on site. This then became desktops and servers and we are now in the cloud wave of computing. Your perimeter has been slowly expanding along with it. To start with everything was in the building then a few devices were outside the building. Now smartphones and tablets have enabled your entire systems to be outside of your own building and in someone else’s.
When sales people come round to your office to do a demo the first thing they ask is can I use your WiFi? Now hopefully you have a guest network with separate broadband lines to create a physical perimeter between your business systems and visiting devices. If not at least have a separate VLAN for guests to use to provide some sort of separation. The point is that IT has become so blurred it is hard to figure out where the network perimeter actually is. Some of your systems will live inside someone else’s business and other businesses devices will end up being used inside what used to be your perimeter (your building).
Every device you use is what we call an end point. Each endpoint is a potential entry into your systems and your business. Each endpoint needs to be secured from both internal and external threats but those devices may not be on your site and may not even be in the same country. When you think about network security you need to assume any foreign environment is hostile but you must also be vigilant when it comes to trusted devices. Any devices on your network like laptops and servers will be trusted by the domain but they could be infected by a virus or some malware so it is vital that all endpoints be considered potential threats even if they are internal.
Knowing where your perimeter is and what the end points are is the first step to designing a network security strategy.