Companies have traditionally adopted a fortress mentality with network perimeter security to protect corporate applications and assets. But things are changing, driven by increasing threats from inside the LAN and more company laptops and mobile devices moving in and out of the network. This means that IT managers must now treat every connection on the internal network as ‘dirty’. In effect, there is no longer a trusted enterprise.

A second driver is the increasing demand for anywhere, anytime access to business resources, presenting the challenge of managing an unknown number of fixed or wireless devices as valid remote access points to the corporate network.

With perimeter-based security becoming more complex, network architects are taking a new approach to build borderless global enterprises where security is inherent rather than applied only at the interface between the internal network and the outside world. This is becoming known as deperimeterization or the inverted network.

An inverted network partitions traditional networks – where every user, system or device on the inside is assumed to have the same level of trust – into a number of smaller pieces, each sharing common trust attributes. These trust domains are protected from one another by internal firewalls and perimeter security. Typically, the multiple trust domains will contain either, application servers and data centre resources or groups of users. Users for example, may be defined geographically or by job function or relationship to the business; however, in general, they fall into two categories – the public domain and semi-trusted users. The secret is to trust no user, system or device completely and to verify any trust that you extend within and beyond a trust domain.


SSL VPNs already provide secure remote access from fixed or wireless devices on the Internet. Unlike traditional VPNs based on IPSec (Internet Protocol Security) technology, SSL or Secure Socket Layer VPNs offer clientless and client-based access from any device with an Internet connection. This includes a machine on someone else’s network, an airport or tradeshow kiosk, home PC, wireless laptop or PDA.

The machine may be a company supplied and managed desktop or laptop located on the enterprise’s local fixed or wireless network and associated with the proper trust domain. In effect, internal and external access become the same. Because SSL VPNs use existing conventional transport protocols, they can work well over all forms of network mediums such as broadband, satellite, wireless and cellular networks.

In an inverted network authentication goes beyond validating users and extends to managing risks inherent in users’ computing environments – their operating systems, browsers, applications and type of network. With access devices that may include cyber cafés, hotel computers or a friend’s home PC, threats such as Trojans, key stroke loggers, viruses and worms are greater.