Many organizations are struggling with how to get control over Web 2.0 security and network concerns in their organization. There is a great new term I heard recently that has been used to describe this struggle: Re-perimeterization or de-perimeterization. Unfortunately, I haven’t been able to find the etymology of these terms…aka geek history of the term, but I think this is close.
While on the SharePoint Product Team, I was charged with understanding how DMZs and perimeter networks were designed. After weeks of research and discussion with professionals in the field, I figured out there were no standard deployment architectures. There were basic approaches like a tri-legged network and the like, but that is where the science ended and the art began.
The basic principles of defense in depth were the main component of network security by restricting ports and permissions.
As you will read in the article referenced below, this defense in depth is not enough to keep up with the evolving thread of Web 2.0 and an app-centric world.
Why is this important to a guy or anyone that architects SharePoint?
Well, after a 30 minute or so conversation with many customers, they start to understand that they need more modern approach app-aware perimeter appliances and servers especially to protect their mission critical applications like SharePoint. As you will read in the articles linked to through this posting, this issue is not specific to SharePoint, but all Web 2.0 tools.
What architecture do I recommend?
Generally, I propose an architecture that leaves their defense in depth infrastructure in place and simply augments that security with Microsoft ISA, IAG, and/or UAG. These servers are industry leading, low-cost servers with integrated application-aware filter and logic for SharePoint, Exchange, Unified Communication and other Web 2.0 supporting technologies.
The great benefit with these application aware gateways is that Federal agencies can solve other issues like CAC, HSPD-12, and SmartCard logon through an approach called Kerberos Constrained Delegation (KCD) which automatically maps two-factor smart cards to AD user accounts.
Thus, in the end, you can “kill two bird with one stone” (re-permeterization and HSPD-12) with Microsoft ISA, IAG, and/or UAG. That is why I think they “rock.” ;)
Re-perimeterization: Regaining app-centric visibility and control - http://www.networkworld.com/news/tech/2009/040609-tech-update.html
Death of the DMZ –
http://blogs.technet.com/rhalbheer/archive/2008/04/01/the-death-of-the-dmz-the-death-of-the-castle.aspx
Directly connect to your corpnet with IPsec and IPv6 –http://blogs.technet.com/steriley/archive/2008/06/25/directly-connect-to-your-corpnet-with-ipsec-and-ipv6.aspx
Definition – http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1022899,00.html
· http://www.microsoft.com/technet/community/columns/secmgmt/sm0907.mspx
· http://www.microsoft.com/technet/community/columns/sectip/st0907.mspx