Gartner Blog Network

The Perimeter Persists Because Infrastructure is Never Good at Protecting Infrastructure

by John Pescatore  |  July 14, 2011  |  Submit a Comment

Much the opposite of Generalissimo Francisco Franco, the perimeter is nowhere near dead. Mainly because it makes good business sense, even if it does not make for good PhD theses.

Years ago the laptop was supposed to mean the perimeter was dead. Nope, we put a piece of the perimeter (firewall) on the laptop, required it to connect at the perimeter (VPN gateway) and often checked it when it came back to the network (Network Access Control.)

Then, when Microsoft came out with Vista and Server Domain Isolation, the perimeter was going away because PCs and servers would just run IPSec to each other and there would be no need for a perimeter.  Nope, but Vista really didn’t happen either.

But Windows 7 did happen, and the perimeter was supposed to go away when Microsoft renamed SADI Direct Access and PCs and servers would just run IPSec to each other and there would be no need for a perimeter. Nope, turns out that Microsoft added a Direct Access server at the perimeter, saying:

Because DirectAccess servers provide intranet connectivity to DirectAccess clients on the Internet, DirectAccess servers are installed in your perimeter network, typically between your Internet-facing firewall and your intranet.”

Now with cloud, the perimeter is supposed to be extinct again. Nope, turns out businesses are using cloud-based security as a service to inject perimeter security policy between their use of the cloud and threats and between their data in the cloud and users, or just integrating cloud services into the perimeter based SOA governance/security approaches.

Businesses don’t send paychecks to the customers or business partners, and don’t send products to their employees. There is an inside and an outside, and always will be. In physical security we found that locks on doors and safes and vaults were required to protect the physical infrastructure from attacks. Theoretically we could make jewelry and cash and flat screen TVs and prescription drugs theft-proof but the cost of doing do, and the interruption of business, has proven it would be a bad business decision.

The equivalent in the information world is trusting PCs and servers and data protect themselves. I can tell you the exact day you will know that will make business sense: the second Tuesday of the month after they publish a table of material strengths for software. On that day there should be no more software vulnerabilities to worry about in all those endpoints.

Of course, the it is very likely that the sun will go out before we get to that day…

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.