Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/29/2013
12:53 PM
Tim Rohrbaugh
Tim Rohrbaugh
Commentary
50%
50%

Fact Check: Endpoints Are The New Perimeter

Have endpoints been a perimeter and, if so, what should you do?

Some security professionals are stating that "endpoints are the new perimeter." If true, this statement is of manifold complexity and importance -- from a security design, control, and analysis perspective.

Are endpoints the "new" perimeter? "New" was probably used for emphasis (not meant literally) because actually nothing has changed recently to command the use of this adjective. "New" because someone just noticed this? Maybe, but I suspect that many others noticed this long ago, too.

When did the endpoints start acting as "perimeter" devices, then? Well, let's cover what is meant by "perimeter" first. With respect to context, the term is used in information security vernacular to denote a device connected to the Internet (or unknown external systems) with limited filtering or controls between. This "perimeter" device is then understood to be a gate or wall that separates the internal trusted devices from the -– bad -- scary world of the unknown. Depending on your point of view, this virtual land of baddies is comprised of Chinese (replace with any foreign country du jour that wants your stuff), cybermilitary, foreign, and domestic fraudsters, law bending competitors, malicious activists, foreign spy agencies ... so, when did the endpoint become a perimeter? Long ago, my concerned friend.

Specifically, endpoints became perimeters when a young, enterprising developer decided to use a standard application layer protocol for a purpose it was not specified for -- called overloading, e.g. in 1996 when Mudge created NetCat (I know Hobbit is listed as the author today ...) or, in more recent history, when HTTP was used to support remote desktop control, or the thousands of other examples that are right on the tip of your tongue. The problem was that all this time, stateful perimeter devices passed protocols and ports connections directly to endpoints without requiring only specified functionality. Without these, so-called perimeter devices being application-aware, any device that could request DNS resolution (for instance) from the outside network could be remotely controlled, if software (yes, malicious in this case) was aware of the application protocol's non-standard implementation -- this is one backup way that BOTS are controlled today.

So the war has been going on for a very long time under many other labels. In essence, when stateful firewalls won out over application firewalls, the doors opened for software developers to figure out how to get unexpected functionality to work through standard stateful firewalls. Originally you had to run specialized software on the endpoints to take advantage of this unexpected functionality, but shortly thereafter that was not the case, as it was considered embedded functionality. Those "trusted" endpoints on your network are actually connected to the outside, directly, in many cases. And more importantly, you have general staff who are maintaining your perimeter controls.

Would you allow a general business user to manage your firewalls? Of course not, but you are, in essence. As expected, security pros complain about employees being the weakest link. That's because, in many cases, we have general employees a mouse click away from allowing external access to your network. That's a lot of pressure for people who do not see risk and consequence (and the need for control) in the same way that you do, as a security professional.

What can you do about this?

• Use application-aware boundary devices for filtering traffic.

• Re-evaluate your network designs by creating trust zones with application-aware boundaries around your endpoints (workstations, support servers, development/test systems, etc.).

• Use sandboxing technologies on the endpoints to limit access to the real desktop environment.

• Limit entitlements or users and/or applications on the endpoint that can establish external connections.

• Change the way you analyze internal traffic, based on behavior of the endpoint, to factor in that the device is guilty (a threat) until proved innocent (trusted).

Tim Rohrbaugh VP Information Security, Intersections Inc. Tim Rohrbaugh is an information security practitioner who used military (comsec) experience to transition, in the mid 90's, to supporting Government Information Assurance (IA) projects. While splitting time between penetration testing and teaching at DISA, Mr. Rohrbaugh ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
CVE-2018-19942
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QT...
CVE-2021-27691
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...