Just now, 2017 Dec, I think this needs reworking. Yet there are ideas here to be preserved. I think these ideas must be applied recursively but that is not the style of the following text. It relates to the perimeter.html.
The concept of a periphery can be stretched to refer to many security problems. There are at least two kinds of periphery: physical and logical. The following comments apply to both.
The moat metaphor initially suggests that the bad guys are outside and that they might send signals that would confuse gullible software inside the castle. Certainly there is much software inside designed to keep and dispense information to requestors and this software is often written as if no one would ever ask it to do anything improper. This metaphor suggests a signal exclusion strategy, rather along the lines of firewalls.
But are all the bad guys outside? The periphery is often charged with keeping programs inside from exporting sensitive data. This is a signal confinement strategy.
The most obvious and relevant interface between intranet and the outside is usually some sort of firewall. Yet I will not speak much about that here for I am not an expert in firewall strategy.
Many companies attempt to limit or prohibit digital connections between internet and the intranet other than thru firewalls. Phone connections on some campuses are non-standard in order to limit casual connections of inside computers to the outside. This has inconvenienced many legitimate users who bring computers into the building. Ricochet modems and 802.11b have made a serious dent in this bulwark. Indeed these threaten the very model of moat security.
In IP tunneling, small trusted software viably extends a network to discontiguous sites. Tunneling software just as firewall software must run on a secure invulnerable base. Perhaps IP tunneling is a better model for access to the intranet from home computers.
Firewalls seem mainly to limit the signals to certain protocols, perhaps mistaking form for content. E-mail is usually passed perhaps under the assumption that it was created by a human who, after all, is necessarily trusted. You let e-mail thru for the same reason that you let voice phone signals in and out. Yet programs can send and receive e-mail.
Firewalls prohibit many IP protocols such as circuits that might carry X-windows signals, not on the basis of whose data they carry but more on the basis that it would be convenient for the breaker. This more often inconveniences those with legitimate external needs.