Perimeter Network Services Guidelines

Three important principles motivate the guidelines for services to include, and services not to include, in a perimeter network.

  1. No application logic should be required to run a perimeter network service,
  2. No authentication or authorization services may be deploued in a perimeter network,
  3. More secure servers connect to less secure servers.

Example Perimeter Network Services

Public Services: DNS

  • Hidden masters would continue to reside on an internal network,
    • Hold the DNSSEC signing keys,
    • Distribute only the signed zones.
  • Hidden masters notify (configured) secondary masters,
  • Notified servers pull from hidden masters,
  • Secondary masters would be individually reachable for individual hidden masters,
  • Hidden masters would be individually reachable for individual secondary masters,
  • External AnyCast services may need to be notified,
  • External AnyCast services may need to be able to connect to individual secondary masters for the transfer.


  • Split off in to appendix and create diagram.
  • Describe zone signing keys and key siging key.
  • Puppet module.

Web Services

A variety of web services are eligible to be fronted in a perimeter network, such that OWASSP mod_security rules and ClamAV anti-virus can be applied as early as possible, as well as caching can happen as far out as possible.

Explain more about what to do, and what not do do, on perimeter network web services.


A service such as OpenVPN can ensure a remote client connects to service end-points more securely, and more reliably.

The creation of such a VPN connection does not incur a penalty on the safety of the internal networks, however, so long as the service end-point resides in a perimeter network segment that is allowed limited visibility on and limited access to internal networks and service endpoints. Refer to the use of the internal firewalls for more information.


Rant on DNSSEC support on most CEs / in other environments. Rant on MiM attack vectors such as transparent proxies.

digraph { splines = true; overlab = prism; edge [color=gray50, fontname=Calibri, fontsize=11]; node [style=filled, shape=record, fontname=Calibri, fontsize=11]; subgraph cluster_ce { label = "CE"; "Outer Perimeter Firewalls"; } subgraph cluster_dmz { label = "Perimeter Networks"; subgraph cluster_dmz_openvpn { label = "OpenVPN"; "OpenVPN Server 1..n"; } subgraph cluster_dmz_other { label = "Other 1..n"; ""; } } "Client" -> "Internet" -> "Outer Perimeter Firewalls" -> "OpenVPN Server 1..n"; }