he traditional approach to network security engineering has been to try

to erect preventative measures—firewalls—to protect the

infrastructure from intrusion. The firewall acts like a filter, catching
anything that seems suspicious and keeping everything behind it as
sterile as possible. However, though firewalls are good, they typically
don’t do much in the way of identifying compromised applications that
use network resources. And with the speed of evolution seen in the
area of penetration tools, an approach designed simply to prevent
attacks will be less and less effective.
Today’s computing environment is no longer confined to the office, as
it used to be. Though there are still fixed systems inside the firewall,
ever more sophisticated remote and mobile devices are making their
way into the workforce. This influx of mobile computing has expanded
the traditional boundaries of the network to farther and farther reaches
and requires a different way of thinking about network security
requirements.
Your network’s endpoint or perimeter is mutating—expanding beyond
its historical boundaries. Until recently, that endpoint was the user,
either a desktop system or laptop, and it was relatively easy to secure
those devices. To use a metaphor: The difference between endpoints
of early network design and those of today is like the difference
between the battles of World War II and the current war on terror. In
the World War II battles there were very clearly defined “front lines”—
one side controlled by the Allied powers, the other by the Axis. Today,
the war on terror has no such front lines and is fought in multiple areas
with different techniques and strategies that are customized for each
combat theater.