Twice in recent weeks, I've been onsite at a company where a sizable division of the organization has been hit by a fast-roving computer worm. All that prevented the worm from quickly spreading across the enterprise was the company's isolated security zones. These scenarios served only to strengthen my belief that establishing isolated security zones is among the few strategies that reap a return on the investment of planning, resources, and money.
In one of the instances, a foreign subsidiary of the company I was visiting had been infected with the Conficker worm. Nearly every computer at the particular location was compromised. Outside the location, however, only eight additional machines were infected.
[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
At the other company, I discovered that vast majority of the network traffic was malicious. If you're looking for malware to experiment with, this place was your dream. Still, even within the same VLAN segment, no one was infected. Even though the company had hundreds of bug-spewing workstations, none of them could talk to anyone else or even each other. While the network was the dirtiest I've ever come across, 99 percent of its production systems remained unaffected.
Isolating security zones (known as Server and Domain Isolation at Microsoft) isn't a new concept by any measurement. Firewalls and the traditional three-legged domains (Internet, DMZ, and intranet) have been around at least since the 1970s, and I bet some readers could remember earlier instances.
Although not yet completely abandoned, the traditional firewall segmentation concept is quickly becoming an old way of thinking about network security. Most of these traditional boundaries have so many ingress exceptions -- VPNs, wireless networks, trusted partners, home users, open management ports -- that it's hard to say which is the rule: the firewall ACL or the exceptions.
More and more, companies are beginning to think of their networks as permeable. They assume their bastion network boundary is compromised and that the intruder is already inside -- because it's often true. But this doesn't mean that you should give up on the idea of security boundaries. Quite the opposite -- you should take the staid model of an N-legged firewall and extend it to your workstations.