Home > Articles

This chapter is from the book

Defense in Depth

A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many remain underneath it. No concept carries more importance when discussing network security than defense in depth. Defense in depth helps you protect network resources even if one of the security layers is compromised. After all, no single security component can be guaranteed to withstand every attack it might need to face.

We operate in a real world of system misconfigurations, software bugs, disgruntled employees, and overloaded system administrators. Moreover, any practical security design needs to accommodate business needs that might require us to open certain firewall ports, leave additional services running on the server, or prevent us from applying the latest security patch because it breaks a business-critical application. Treating perimeter security components as parts of a coherent infrastructure allows us to deploy them in a way that accounts for the weaknesses and strengths of each individual component. Of course, given the requirements of your organization, you might choose not to implement every component discussed in this chapter. The extent to which you need to apply network security layers depends on the needs and capabilities of your business.

After introducing defense in depth in this section, we will use it as the guiding principle behind designs and implementations throughout this book. In fact, this topic is so important, we will conclude the book with a chapter devoted specifically to this topic.

Components of Defense in Depth

What exactly does defense in depth entail? The simple answer is the perimeter, the internal network, and a human factor. Each of these comprises many components, which are independently not enough to secure a network. The key lies in each component complementing the others to form a complete security picture.

The Perimeter

When we think of network security, we most often think of the perimeter. As we mentioned earlier in this chapter, the perimeter includes any or all of the following:

  • Static packet filter

  • Stateful firewall

  • Proxy firewall

  • IDS and IPS

  • VPN device

We have already introduced these security components to you. Now, let's take a look at how they might work together to form a defense-in-depth infrastructure.

Static packet filters inspect basic information within every packet and are typically implemented as routers. The border device is the first incoming and the last outgoing layer of your network security. It contributes to defense in depth by filtering traffic before it enters or exits your network. All too often, we only consider filtering incoming traffic, but then we don't get the full usability of our border router.

Improperly destined traffic might be internal addresses that hit your external interface, or vice versa, and they can be addressed with ingress and egress filtering. Border routers can also block traffic that is considered high risk from entering your network, such as traffic on the SANS Top 20 Vulnerabilities list (http://www.sans.org/top20). ICMP is a favorite of attackers both for DoS attacks and reconnaissance, so blocking this protocol in whole or in part is a common function of a border router. You may also consider blocking source-routed packets at the border router because they can circumvent defenses. The border router can also block out-of-band packets, such as SYN-FIN packets.

On February 9, 2000, websites such as Yahoo! and CNN were temporarily taken off the Internet, mostly by distributed denial of service (DDoS) Smurf attacks. A Smurf attack involves sending spoofed ICMP echo requests (ping) to the broadcast address, resulting in a response from every host. In this case, spoofing allowed attackers to direct the large number of responses to a victim network. Ingress and egress filtering would have blocked the spoofed traffic and allowed them to weather the DDoS storm. Every network should have ingress and egress filtering at the border router to permit only traffic that is destined for the internal network to enter and traffic that is destined for the external network to exit. We will cover filtering—including ingress and egress filters—in Chapter 2, "Packet Filtering."

Static packet filters, such as routers, are faster at screening traffic than stateful or proxy firewalls. This speed comes in handy when you are under attack or when the firewall is already under a heavy load. What if you don't have a border router under your exclusive control? If your Internet connection is relatively small (T1 or less), then performing filtering solely on a firewall might be sufficient.

Unlike static packet filtering devices, stateful firewalls keep track of connections in a state table and are the most common type of firewall. A stateful firewall blocks traffic that is not in its table of established connections. The firewall rulebase determines the source and destination IP and port numbers permitted to establish connections. By rejecting nonestablished, nonpermitted connections, a stateful firewall helps to block reconnaissance packets, as well as those that may gain more extensive unauthorized access to protected resources.

Stateful firewalls are able to recognize and block traffic that is part of a nonestablished, nonpermitted connection, such as attempts at reconnaissance. The ability to block reconnaissance attempts that hit your firewall, such as the Nmap ACK scan, make stateful firewalls a valuable part of defense in depth by adding another layer of security to your network. An alternative, and sometimes a complement to a stateful firewall, is a proxy firewall.

Proxy firewalls are the most advanced and least common type of firewall. Proxy firewalls are also stateful, in that they block any nonestablished, nonpermitted connections. As with stateful firewalls, the firewall rulebase determines the source and destination IP and port numbers that are permitted to establish connections. Proxy firewalls offer a high level of security because internal and external hosts never communicate directly. Rather, the firewall acts as an intermediary between hosts. Proxy firewalls examine the entire packet to ensure compliance with the protocol that is indicated by the destination port number. Ensuring that only protocol-compliant traffic passes through the firewall helps defense in depth by diminishing the possibility of malicious traffic entering or exiting your network.

Using proxy firewalls diminishes the possibility of malicious traffic entering or exiting your network by ensuring that only protocol-compliant traffic passes through. However, what happens if malicious traffic appears to be appropriate material and adheres to the protocol?

An IDS represents the eyes and ears of a network by monitoring the network and hosts from critical points for malicious activity. Typical network IDS sensor placement includes each network segment directly connected to the firewall, as well as critical points within the network. If malicious traffic bypasses your other defense mechanisms, an IDS should be able to detect it, as well as communicate what it sees. This is precisely how an IDS helps with defense in depth.

For example, a network IDS could identify and alert on the following:

  • DNS zone transfer requests from unauthorized hosts

  • Unicode attacks directed at a web server

  • Buffer overflow attacks

  • Worm propagation

There are numerous incidents where successive fast-spreading worms have brought down large international networks. If these companies had been able to identify and isolate the infected machines quickly each time a new worm hit, they could have kept their networks functioning. An IDS with the correct signature would facilitate that identification. An IDS can help identify malicious traffic that might otherwise appear normal to an untrained eye. For example, a DNS zone transfer is a legitimate and common operation for peered DNS servers to engage in. However, we should consider zone transfers outside of those hosts dangerous.

An IDS contributes toward a defense-in-depth architecture by detecting and reporting suspicious activity. This functionality can be augmented by deploying an IPS, which, in addition to detecting attacks, attempts to automatically thwart them. Intrusion prevention is becoming a popular term in literature describing firewall and IDS products—such "active response" technology gives us an opportunity to block malicious activity in situations where the likelihood of falsely identifying an attack is low.

An IDS allows us to tune our defenses to match the current threats. Furthermore, correlation of router, firewall, VPN, and system logs can yield some information about suspicious activity on the network. These logs are not meant to replace the granularity and extensiveness of IDS logs, but to augment them. Logs from non-IDS perimeter components can help significantly when the network IDS logs are of no use, such as when the traffic is encrypted in route to a VPN device.

VPNs protect communications over unprotected networks, such as the Internet. They improve security by offering confidentiality, integrity, and nonrepudiation. For example, a VPN can allow your employees working from home to connect to your servers in a trustworthy manner even while traversing the Internet. In this scenario, the VPN will make sure that no one can monitor the protected traffic, that no one can modify it without being detected, and that the data really came from the expected user. VPNs are appropriate for a wide range of applications and are often useful when dedicated private lines are too expensive or impractical for connecting network nodes. Protecting communications over unprotected networks helps us defend our networks with depth.

VPNs are wonderful tools or wonderful weapons, depending on who is using them. By providing protected communications over unprotected channels, a VPN is a tool to legitimate users. If, however, the endpoints of a VPN connection are not secure, an attacker might be able to gain a protected channel into your internal network, giving him an awesome weapon. In our experience, many large networks that have been severely crippled by worms were affected by the same type culprit during every infection: a VPN user who was working from home. Users would surf the Web using their personal broadband connections at night before logging onto the internal network the following day via the VPN. A worm infected their machines when they were connected to the Internet at night. When they connected to the internal network the following day, the worm propagated to the internal network and ran rampant.

VPNs offer significant cost savings over the previous alternative of frame relay or a private line. We can use a VPN to protect all traffic from one network to another (network to network), between two hosts (host to host), or from a single host to a network (host to network). Knowing this, the way in which we configure our networks becomes increasingly important.

All too often, security is not a primary concern to a business when putting a network in place. A thought-out network architecture is vital to defense in depth because it segregates resources and provides for performance and redundancy. A well-designed infrastructure can act as a business enabler, rather a stumbling block to the organization.

We need to do the following when evaluating a network security architecture:

  • Determine what resources need to be protected.

  • Determine the risk.

  • Determine business requirements.

With this information, we can make educated decisions regarding our network defenses.

A solid network architecture created with security in mind will segregate resources and provide for performance and redundancy. Segregating resources is vital to defense in depth, and we will look at it closely in Chapter 13, "Separating Resources." We must keep in mind that no matter how segregated a host is from a network viewpoint, its configuration must also be hardened.

We've discussed how various components of the perimeter contribute to the overall security of our network through defense in depth. Although vital, the external perimeter is only one piece of defense in depth. Next, we examine a piece that many organizations neglect to properly address: the internal network.

The Internal Network

The internal network is the network that is protected by the perimeter and that contains all the servers, workstations, and infrastructure with which a company conducts business.

So often, administrators of various types say, "We can trust our own people." Organizations often neglect the security of the internal network because they don't consider an internal attack a risk. An internal attack doesn't have to be a malicious employee; it can be a careless employee as well. As organizations are learning each time a new worm comes out, they cannot afford to overlook the security of the internal network!

Let's shift gears for a minute. Conjure up an image of what you consider a highly skilled attacker. Imagine him breaking into your most sensitive systems...while sitting at your desk. What would stop him?

On the internal network, we could have the following "perimeter" devices:

  • Ingress and egress filtering on every router

  • Internal firewalls to segregate resources

  • IDS sensors to function as "canaries in a coal mine" and monitor the internal network

On protected systems, we can use the following:

  • Host-centric (personal) firewalls

  • Antivirus software

  • Operating system hardening

  • Configuration management

  • Audits

Host-centric (personal) firewalls are generally implemented as software modules that run on individual machines, screening network traffic as it enters and leaves the system. Many are configurable on a per-application basis, meaning that the user determines which applications have rights to access the Internet or function as servers (accept incoming connections). Personal firewalls help defense in depth by augmenting the perimeter on every host.

You might ask, "Why do I need a personal firewall if I'm already behind a network firewall at work?" A personal firewall at work can protect you from malicious programs, such as Trojans, and other internal hosts, as is the case with malicious internal users. If you do not have a personal firewall and connect to the Internet outside of work (such as the hotel room while traveling or the home office when working from home), you cannot assume that you are being protected.

Host-centric firewalls are wonderful pieces of software that augment the perimeter. If a traditional firewall cannot be deployed at the network's entry point, host-centric firewalls are cost-effective alternatives, especially if the network hosts a small number of systems. Host-centric firewalls are also useful for mobile users who connect to a network outside of work. Almost every network needs firewall technology of some sort, be it with static packet filters, stateful firewalls, or proxy firewalls on the perimeter or the individual machines. Most networks with user-level workstations also need an antivirus capability.

In many respects, antivirus software and network IDSs are similar in that they frequently operate by examining data for signatures of known malicious intent. Antivirus software typically looks at the data on the file system and in RAM, whereas a network IDS examines data on the network. As vendors package antivirus, personal firewall, and IDS technology into a single product, the line distinguishing the three becomes increasingly vague. The role of antivirus in defense in depth is clear—it protects against malicious code.

We can augment our antivirus capability on the desktop through products that couple with perimeter components, such as firewalls and email servers. The effectiveness of antivirus software drastically decreases if it is not regularly updated, or if it does not yet provide a signature to identify the latest virus or worm. This is often the case with worms, which propagate very quickly. Locking down the host's configuration becomes critically important in the case of ineffective antivirus software.

Host hardening is the process of tightening the configuration of the host's OS and applications with the purpose of securing any unnecessary openings on the system. This typically involves applying relevant OS and application patches, setting file system permissions, disabling unnecessary services, and enforcing password restrictions. If everything else fails, host hardening is the last layer protecting an individual system. That makes it vital to defense in depth.

Consider the nontechnical co-worker who was checking her personal email through a hotel's dial-up connection. What if she had not installed a personal firewall or antivirus software? If basic hardening had been performed, she would have likely presented the attacker with a variety of vulnerabilities to exploit. It is all too easy to forget about host hardening when multiple layers of defense are surrounding the system. The fact remains that those defenses are not perfect, and we need that last layer. The question of how to keep on top of host hardening naturally arises.

Configuration management is the process of establishing and maintaining a known configuration for systems and devices that are on the network. Large companies might have an automated means of manipulating the configuration of all hosts, whereas small companies might perform the process manually. Defense in depth benefits from the ability to enforce a standard configuration.

Configuration management can enforce the following:

  • That all Windows machines have a particular service pack installed

  • That all Linux machines have a specific kernel running

  • That all users with remote-access accounts have a personal firewall

  • That every machine has antivirus signatures updated daily

  • That all users agree to the acceptable-use policy when they log on

Some of these tasks naturally lend themselves to large-scale automation, whereas others we can accomplish manually.

Configuration management is the best way to establish a standard, secure configuration so that damage from incidents is limited. It can also enable your organization to control unauthorized software installation. Configuration management is an important piece of defense in depth because it enforces a standard configuration. How can we verify that a configuration is a secure one that remains unchanged?

Auditing is the process of resolving perception to reality and improving upon that. Internal staff or external consultants can perform audits. The information that we present next was written from a perspective of an external consultant, but it applies to either situation. Verifying the current state of security and improving upon it is vital to defense in depth.

An audit typically progresses like this:

  1. An informational meeting is held to plan the audit. At the first informational meeting, the auditor finds out what the client wants and expects and establishes risks, costs, cooperation, deliverables, timeframes, and authorization.

  2. Fieldwork begins (implementing the audit). When the client is ready, the auditor performs the audit in line with what we established in the planning session.

  3. The initial audit report (technical report) takes place. The auditor might prefer to give an initial audit report to the technical representatives of a client before their management sees the final report. This provides the technical staff with an opportunity to address some concerns before the final report goes to management. This also ensures that the technical representatives know what their management will see and can offer clarification on any issues.

  4. The final audit report (a nontechnical report with the final technical report) takes place. The final audit report typically contains an executive summary, the general approach used, the specific methodology used, and the final technical report.

  5. Follow-up occurs (verified recommendations are performed).

When the client is ready, the auditor may return to verify that the issues have been resolved.

Just like you go to your doctor on a regular basis for a physical to make sure you're as healthy as you think you are, you should check your network on a regular basis to ensure that your perception and the reality of your defenses coincide. Consider an audit preventative maintenance. An audit is the only tool in defense in depth to verify that everything is as it should be.

Securing the internal network with host-centric firewalls, antivirus software, and host hardening is not a trivial task. Configuration management and audits can help you accomplish this. Addressing security on the external perimeter and the internal network is not enough. Next, we will complete the defense-in-depth picture by discussing the human factor.

The Human Factor

Frequently, we get caught up in the technical aspect of network security without considering its nontechnical element. Tasks such as optimizing the firewall rulebase, examining network traffic for suspicious patterns, and locking down the configuration of systems are certainly important to network security. What we often forget is the human end of things, such as the policies and awareness that go along with the technical solution.

Policy determines what security measures your organization should implement. As a result, the security policy guides your decisions when implementing security of the network. An effective defense-in-depth infrastructure requires a comprehensive and realistic security policy.

Hallmarks of good policy include the following:

  • Authority—Who is responsible.

  • Scope—Who it affects.

  • Expiration—When it ends.

  • Specificity—What is required.

  • Clarity—Can everyone understand it?

User awareness is like driver's education. Users can reduce risk and help defense in depth if they know and follow the security policy. Here are some of the actions you can take to increase user awareness of your organization's security policy:

  • Have every user sign an acceptable-use policy annually.

  • Set up a security web page with policies, best practices, and news.

  • Send a "Security Tip of the Week" to every user.

A direct benefit of aware users comes when considering social-engineering attacks. For example, if users know not to give their password to other people, a potential attack might be thwarted. When users are aware of policy, there tends to be fewer incidents and misunderstandings, and users feel more involved in security. Additionally, in the case of policy violations, if the users are educated, it's harder for people to claim that they didn't know they were doing something wrong.

Remember: Defense in depth hinges on the human factor of policy and user awareness. Policy determines what security measures your organization should implement. Those security measures should reflect policy. Defense in depth is the means to policy implementation; it depends on it.

We've examined the components of defense in depth and how they contribute to security of the network. Defense in depth is a flexible concept that allows you to create an effective security infrastructure that reflects the requirements of your organization. For example, smaller organizations might not be able to afford some of the components we discussed, but alternatives usually exist. Regardless of the size of your organization, policy and user awareness are necessary.

We'll wrap up this chapter by looking at a real-world case where defense in depth could have saved an organization a lot of time, effort, and money.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020