Back in the good old days (that is, before the ubiquitous Internet), a firewall acting as your corporate gateway was more than enough perimeter protection. The line between your enterprise and the rest of the world was clearly drawn and you could easily define and control which traffic was allowed in and out of your network.
But in today's distributed environment, that perimeter no longer exists. Few organizations can now delineate where their corporate networks start and stop, so the ability to protect corporate assets has become a critical task that requires rethinking the traditional security architecture.
Partner access to resources such as databases and development code is one of the main reasons the network perimeter is moving farther outward. Most organizations set up site-to-site VPNs to protect the confidentiality of the data traveling over the Internet, but what about the internal corporate network? With a VPN established, any security weakness in your partner's network now becomes a weakness on your network. So before you agree to set up site-to-site connections, be sure to perform a security assessment of your partner's network. Be wary of any partner that does not request the same. If you're still not sure, create a separate partner network to isolate those systems from the rest of your internal corporate infrastructure.
Remote access is another factor affecting perimeter growth. Dial-up access is still used in many places, and even scarier issues arise when a remote access VPN is configured. After all, how do you determine whether the only system connecting to the corporate network is the company-owned laptop or an approved home system? What about employees using Internet Connection Sharing? Or improperly secured home wireless networks? Some might not even follow basic security practices or may install inadequate home firewalls when stronger security is warranted. That's why strong remote access policies that can be enforced and monitored are crucial, as is employee education on the risks associated with remote access connections.
The bottom line is that you have almost no idea how many people and systems have access to your internal network. Yet many organizations still build network infrastructures that give users the keys to the kingdom once they get past the Internet-facing firewall. The best defense is a layered security approach, with security zones that provide granular control, defining access, authorization, and authentication requirements for different information levels.
Security zones can be created in many different ways. Some VPN devices allow administrators to establish groups and control what resources each group can access. One of the most centralized solutions is RADIUS (Remote Authentication Dial-In User Service), which could be used for remote access VPNs, wireless networks, and basic network authentication.
Employee access shouldn't be an all-or-nothing proposition. Instead, access should follow one of the basic security tenets -- the principle of least privilege -- and only allow access to the systems employees need to use. It's always best to step carefully when you're in uncertain territory.