Much of the way that we concieve of our network design comes out of prior models of computing, and as such, isn't necessarily applicable to modern situations.  Primary among these conceptions is that our networks have a "perimeter", a logical dividing line between what is "inside" our network, and what is "outside".  More and more, drawing such a line does not equate with the reality of network access, which has significant ramifications for network design, and security.

Many years ago, networks were in fact isolated from the rest of the world.  You had to be in the office to be connected to them, or perhaps even at a hard-wired terminal attached to a mainframe. 

With the advent of LAN technology, but without any sort of mobile computing, this situation didn't change much.  However, once the Internet became part of our designs, we attached what had been an isolated network to the much larger network of networks that is the internet.  This required, rather rapidly, a way to distinguish inside and outside, trusted and untrusted, and thus the concept of a perimeter was born. 

Firewalls and routers were used to distinguish this line.  For a time, this worked well, because of the fact that computers were still things on desks - their network context didn't change during the course of their use.  Firewalls and access control lists on routers allowed traffic coming into a network from "outside" to be controlled, limited and at times blocked entirely.  DMZs, that is, subnetworks that were isolated from the "inside" yet were also limited in access from the outside, became the best practice for providing services to the internet at large.

There were, of course, exceptions to this.  A modem attached to a desktop would allow a user to call into the network from outside, making an end run around the network access controls at the perimeter.  But all in all, it worked well enough.  We could talk about "inside" and "outside" in a sensible way.

With the advent of mobile computing, be that on laptops, cell phones, or smartphones, this has changed drastically.  VPNs (encrypted connections that allow machines that are "outside" to be part of an "inside" network) were also commonly deployed for remote access. 

At this point, a typical user might have a laptop, and use that laptop in a variety of places - at home behind a cable modem, at a cafe with wifi, and at work.  Each use subjects this machine to a variety of different network situations, each with their own risks, and then transfers the actions taken in each of those contexts into the work environment, behind the perimeter.  Equally difficult to manage is the increasing customer demand to have access to the same resources they use outside of the office while at work - social networking, media streaming, etc.

This all serves to make perimeter based access control less capable of addressing the risks from internet sources.  While still important, they are becoming much less able to actually stop attacks and data leakage from occuring. 

As an example, consider a user with a laptop.  They use an internet cafe to check email and surf the web, and manage to get themselves a virus.  This is likely to happen much more than in a constrained model where workstations are fixed at the office, since the traffic that carries the virus doesn't have to go through layers of firewalls and antivirus scanning - only the defenses that the laptop itself is configured with are relevant. 

The virus, now installed on the laptop, is carried into the "inside" of the LAN by the user, and proceeds to infect machines inside the LAN.  This happens quite frequently - in effect, it's as if whatever defenses that have been deployed on the perimeter are not turned on at all. 

And yet, because we're so used to thinking of our networks as being "inside" and therefore "trusted", we often don't take the extra precautions to defend against this sort of issue.  We often trust devices that spend a great deal of time exposed to an increasingly hostile Internet as if they've never left the office. 

The solution, it seems, is to accept that this is the case, and to revise our thinking about our "internal" machines as follows:

1) no client should be trusted implicitly.

2) end point defenses (that is, things like firewalls and antivirus) need to be deployed on all end points (clients and servers), even if they're on the "trusted" side of the perimeter.

3) ultimately, we need to get rid of the idea of "inside" and "outside" - because the outside is bringing itself into our networks in ways that the idea of a perimeter simply does not address.  Treating all networks, end-points and traffic as potentially hostile, and providing means to detect and prevent attacks, regardless of "where" they originate from, is key.  Instead of one perimeter, we need to establish separate perimeters around critical resources, that is, the servers and data stores that hold our most precious assets, at a server or share level.

Further reading on this subject may be found in the "Commandments" of the Jericho Group - www.opengroup.org/jericho/commandments_v1.2.pdf