Network security: Overlay versus perimeter security model debated at Catalyst

So the debate is whether to use encrypted tunnels or perimeter-based controls for security -- in other words, whether it is better to place more or less emphasis on the network perimeter?

David Passmore: Eric Maiwald, Senior Analyst at Burton Group is going to talk about a traditional perimeter-based approach -- think of a castle or a fortress, with walls and moats -- segmenting users and protecting resources with traditional firewalls and VLANs and access control lists, intrusion detection devices. The other approach, which is what I'm going to argue, is against that, saying that's sort of old-world thinking. With virtualisation and de-perimeterisation, and mobility and wireless, you can't really build walls around your resources like that any more. An improved way to go in the future is to rely on encrypted tunnel VPNs, so use something like SSL or IPsec from your device -- whether it's a laptop or a desktop, even if you're sitting at your desk -- to access resources in the data center.

The beauty of that is it's independent of whatever network you're on. It's no different if you're sitting at a Starbucks or working from home or in a hotel room. Also, it means that employees use exactly the same access techniques from their desks as they would if they were connecting remotely.

We often refer to that as the overlay approach, because what you're doing is overlaying an encrypted tunnel VPN on top of whatever network you're using. You could also view that as still having a perimeter, but in that case the perimeter retreats to the data centre. It's as if you put up a wall just in front of the data centre, but you don't bother trying to secure any of your other networks because you simply run encryption on top of them.

Is this a trend, with people moving away from traditional perimeter security?

Passmore: It's still early days, but we can see it coming. It isn't going to be absolutely correct for everybody, but it's kind of a new way of thinking about network security; it's also contrary to the old approach and also to what many of the vendors are trying to sell, which is more perimeter-based stuff -- if you go back to Cisco's self-defending network and talking about NAC, which basically says I'm not even going to let you set foot in my network until I've been able to check your configuration. We're saying that's the wrong approach because all that does is complicate the hell out of your network. It adds unnecessary complexity. Instead, don't put that stuff in your network. Keep your network dumb; keep it lean and mean; keep it simple.

And then you run encryption from your machine all the way to the data centre -- and if you have a perimeter, put it there.

Is virtualisation what's driving this trend?

Passmore: It's one of the enablers, and another trend that's very closely related is data centre consolidation. If we look at many large enterprises in the past, they had their servers and databases and the like distributed all around the enterprise. The whole idea originally was to have the data and applications close to where the users were because you needed to conserve on network bandwidth.

Now the idea with data centre consolidation is to move all of your data, resources and applications to a small number of large data centres that can be more easily defended. While you'll waste money on bandwidth because you've got to back haul all this traffic a lot further across your network, you still achieve overall savings on people costs and computing costs because you consolidate onto a smaller number of servers. That's where virtualisation comes in, because you can basically pool all of your resources in the data centre and run whatever applications you need at any given time.

Is it possible to choose a hybrid approach?

Passmore: I want to emphasise that these are two contrasting viewpoints we'll be presenting at the conference, the perimeter model versus the overlay model. We're going to try and argue extremes, just to make the point. Many enterprises may need a combination of the two. There are definitely hybrid approaches that many large enterprises should employ. We're just trying to make the point that there's this new way of thinking based on the overlay model to the perimeter model that enterprises may not have considered in the past and now they seriously need to consider.

Does this take the job of securing the network away from the security team and place it on the network team, or vice versa?

Passmore: The security people are going to be involved no matter what you do. If you remove security from the network, then the networking people don't have to worry about it as much. It's instead something that's implemented in the desktops and the servers.

So the networking people are then mostly just worried about things like VPN appliances in the data centre. They don't have to worry as much about access control lists in the routers and setting up VLANs and building self-defending networks any more -- the network stays simpler. It actually makes their job easier by consolidating resources into the data center.

What are the main ways companies are doing overlay-based security today?

Passmore: Many companies are already doing it for remote access. They're already making use of SSL or IPsec VPNs based on encryption. What's new is the idea of using the same technique for when you're actually in your office. So even when you're sitting at your desk, you would use this technique. Once you do that, the enterprise doesn't have to worry as much about locking down their networks.

Another aspect of this is that many enterprises don't own or control their own networks any more. A lot of people now are using shared, tenant facilities for their employees, where the enterprise doesn't even own the network, so they can't put security controls into the network and they have to use the overlay model.

How are companies currently ensuring network security for employees logging on from within the building if they're not on the VPN?

Passmore: They may do things like password controls to get to their servers, but generally right now the idea is that if you're sitting at your desk inside the enterprise, you're inside of a perimeter. Because you're sitting behind a firewall, you're generally considered to be safe. But increasingly, that's not true because of all the mobility, where employees are taking laptops home every night or taking them out on the road and then back to the office, or using PDAs. The perimeter is starting to disappear.

What challenges does the overlay model bring for network staff?

Passmore: One of the issues of the overlay model is that you're going to find yourself with hundreds or thousands of simultaneous VPNs. There are some scalability issues of trying to manage that, including things like encryption key management.

That sounds like a lot of trouble -- what options exist for easing those challenges?

Passmore: There are some products and utilities out there.... You may also find that you have to deploy multiple VPN appliances at the data centre to handle the load. You may have to do that anyway, just to ensure high availability.

On the flip side, if you're implementing perimeter security, the problem is that every time somebody deploys a new application, you have to change all the rules in your firewalls and intrusion detection devices. You're constantly having to change configurations in your security devices. Often, that means that the enterprise isn't very flexible -- and it can frustrate users because they can't do something new on the network without waiting for the networking people to get around to changing the configuration. We all know how long that can be; most networking people are already stressed to the breaking point and overburdened. Arguments can be made both ways.

How does the overlay model compare for end user friendliness?

Passmore: The beauty of the overlay model is that employees use the same VPN regardless of where they are. It's not like they have to learn something new when they're remote versus when operating locally from their desk. That's an advantage because single configuration is independent of what network they're using. The downside is that employees may find they have to use the VPN more often, requiring an additional logon, depending how the system is set up. It may require the IT department to install additional software in their machines -- but a lot of that is happening even with the perimeter approach. NAC also requires new software and configuration to check the health of your machine before you're allowed to connect to the network.

Endpoint (overlay) security versus network-based (perimeter) security

Illustration courtesy of Burton Group