Defense in Depth

Defense in Depth

1. A well-structured defense architecture treats security of the network like an

onion. When you peel away the outermost layer, many remain underneath it.

2. Defense in depth helps you protect network resources even if one of the

security layers is compromised. After all, no single security component can be

guaranteed to withstand every attack it might need to face.

3. We operate in a real world of system misconfigurations, software bugs,

disgruntled employees, and overloaded system administrators.

4. Moreover, any practical security design needs to accommodate business

needs that might require us to open certain firewall ports, leave additional

services running on the server, or prevent us from applying the latest security

patch because it breaks a business-critical application.

Defense in Depth

1. Treating perimeter security components as parts of a coherent

infrastructure allows us to deploy them in a way that accounts for

the weaknesses and strengths of each individual component.

2. Of course, given the requirements of your organization, you might

choose not to implement every component discussed here.

Components of Defense in Depth

1. The Perimeter

2. The Internal Network

3. The Human Factor

The Perimeter

When we think of network security, we most often think of the

perimeter. As we mentioned earlier in this chapter, the perimeter

includes any or all of the following:

1. Static packet filter

2. Stateful firewall

3. Proxy firewall

4. IDS and IPS

5. VPN device

The Internal Network

On the internal network, we could have the following "perimeter" devices:

1. Ingress and egress filtering on every router

2. Internal firewalls to segregate resources

3. IDS sensors to function as "canaries in a coal mine" and monitor the internal

network

On protected systems, we can use the following:

4. Host-centric (personal) firewalls

5. Antivirus software

6. Operating system hardening

7. Configuration management

8. Audits

The Internal Network

Configuration management can enforce the following:

1. That all Windows machines have a particular service pack installed

2. That all Linux machines have a specific kernel running

3. That all users with remote-access accounts have a personal firewall

4. That every machine has antivirus signatures updated daily

5. That all users agree to the acceptable-use policy when they log on

The Internal Network

An audit typically progresses like this:

1. An informational meeting is held to plan the audit. At the first informational meeting, the

auditor finds out what the client wants and expects and establishes risks, costs, cooperation,

deliverables, timeframes, and authorization.

2. Fieldwork begins (implementing the audit). When the client is ready, the auditor performs the

audit in line with what we established in the planning session.

3. The initial audit report (technical report) takes place. The auditor might prefer to give an initial

audit report to the technical representatives of a client before their management sees the final

report. This provides the technical staff with an opportunity to address some concerns before

the final report goes to management.

4. The final audit report (a nontechnical report with the final technical report) takes place. The

final audit report typically contains an executive summary, the general approach used, the

specific methodology used, and the final technical report.

5. Follow-up occurs (verified recommendations are performed).

Human Factor

1. Authority Who is responsible.

2. Scope Who it affects.

3. Expiration When it ends.

4. Specificity What is required.

5. Clarity Can everyone understand it?User awareness of your organization's security policy:

6. Have every user sign an acceptable-use policy annually.

7. Set up a security web page with policies, best practices, and news.

8. Send a "Security Tip of the Week" to every user.