Jericho winners show how to deperimeterise network security

Appgate Network Security's proposal for network security won the Jericho Forum challenge at last month's Black Hat conference in Las Vegas.

Appgate Network Security's proposal for network security won the Jericho Forum challenge at last month's Black Hat conference in Las Vegas.

Jericho Forum, whose members include chief information security officers at global businesses, had set a challenge to the IT industry to provide security technology to support the level of openness required in modern businesses.

The main focus of Jericho Forum members is to push forward the idea of deperimeterisation, which proposes the removal of a hardened network security perimeter.

The winners, Tomas Olovsson and Jamie Bodley-Scott of Appgate, presented a paper titled "Balancing the equation: Enterprises moving to the deperimeterised world need to adopt a 'core' mentality based on controlled access to systems". In it they recommended users switch from a central firewall complex to a set of centrally controlled distributed firewalls.

In Appgate's proposal, the central firewall is replaced by a set of distributed firewalls that are installed on all clients and servers. Appgate recommended that these firewalls be centrally controlled and configured dynamically to allow or deny traffic on the network.

The paper also advised IT managers to ensure that applications and application servers are invisible to unauthorised users. The authors said this was an important first step and would also increase internal security.

Under the system, authentication and authorisation requests are handled through a central Kerberos server. The system is also able to specify whether encryption for confidentiality and/or integrity should be demanded before granting access to data or documents.

Olovsson and Bodley-Scott said user authentication and authorisation should be supported on a large number of devices, from desktop systems to handheld devices and mobile phones

They said a generic client in Java should be used. In order to support large deployments, the proposed system would need to handle not only new applications but also integrate with older and legacy applications.

According to Olovsson and Bodley-Scott, since protection is deployed in the end-points (ie, clients and servers on the network), very close to the applications, it is possible to have a very detailed knowledge of events and the centrally collected logs can be very accurate, further boosting security.

Key points for implementing deperimeterisation

  • Authorise users through a Kerberos server which issues a "ticket" to a user to enable access to an application
  • Check user credentials using Lightweight Directory Access Protocol
  • Load digital certificates on end-user devices or implement a one-time-password system via a phone Sim card
  • lntercept IP traffic using a Virtual Ethernet driver
  • Run Java-based client software that supports SSH tunnelling
  • Encrypt application network traffic using the Secure Sockets Layer protocol
  • Use front-end servers to facilitate communications between new systems and legacy IT
  • Protect each application server with firewalls
  • Install personal firewalls to provide access to workstations only if users have a valid Kerberos ticket.


Read more on Network software