For a long time, the focus in the security world has been on the network perimeter.  Firewalls (of all kinds; its a very broad term now) and VPN's (that's a very broad term now, too) are big business.  And they should be.  The network perimeter is important.  But not nearly as important as it used to be.

Things have changed a lot.  Think back 10 years.  There were no USB drives.  No Smart Phones.  No cellular network Internet access.  No media players that can also work as USB hard drives.  Very little laptop usage.  Very little CD/DVD burning.  No UMPC's (I have a Samsung Q1, and don't know how I ever lived without it and the Smart Phone that gives it Internet access just about anywhere.)  What that means is that 10 years ago, very little data went in and out of your network unless it went through your network perimeter.  If you controlled your perimeter, you controlled almost everything that went in and out of your network.

But that isn't the case anymore.  Too much now goes around your network perimeter, instead of through it.  See the examples I just gave in the previous paragraph.  The network perimeter no longer catches everything.  It can't, because it doesn't even see it.  Things can make it onto your network now through the front door, instead of through your firewall/VPN.  Even once inside, internal perimeters are of limited help, because people carry things between areas of your network.  Someone can carry an infected laptop from one building to another for a meeting.  I do it all the time.  (The laptop, I mean; not an infected laptop.)

There's another way to look at this, too.  Its the same idea, but a little different way to look at it.  One of the purposes of the network perimeter is to protect the client machines on your network.  Which was fine, back in the day that the client machines were big heavy desktops, and never left the protection of the perimeter.  But now, laptop usage is very common, and becoming even more so.  You can't count on the perimeter to protect machines, if those machines are being taken outside of the perimeter.

I had a conversation recently about this, and someone said to me that the perimeter is need to protect against zero-day exploits.  The idea being that one can configure their firewall/VPN (often the same thing nowadays) to stop them.  My response was "And how are you going to protect those machines when they are taken out of the office and put on a network somewhere else?"

So what's the solution?  The solution is that we have to protect the machines themselves, and not rely so much on the network perimeter to do it for it.  We have to do something with these computers so that when they are taken out to another network, they are every bit as secure as they are on our own network.  No matter what network it is put on, it needs to be able to do the job of protecting itself.  We can't accept that a machine is going to be less secure on some other network than it will be on our own network.

You may be thinking...so what's the perimeter for?  The perimeter is for situations in which no sort of computer or software can be physically carried from one place to another.  Data centers don't even count here, because there may be DVDs and USB drives periodically put into servers to transmit data or install software. 

I'm not saying to do away with the perimeter altogether.  What I'm saying is that we need to change our focus, and put more into protecting the hosts themselves.  There are some things for the perimeter to do, even in such a host-protected world.  But it isn't nearly the scope of what it does today.  Those details will be discussed some time later.

A great example of where the perimeter does a stellar job is the business partner access scenario.  A scenario where those business partners never bring anything onto your network.  But I'm going to write about that at another time.

There are too many ways around the network perimeter today.  We must address this by making the client machines themselves more secure.  And they must maintain the same level of security, regardless of what network they are placed on.