Monday, December 11, 2006

What is Defense In-Depth and why is it important?

Defense in-depth is a technique that uses many layers of network defense to secure a network and all devices connected to that network. The theory behind defense in-depth is to deploy different layers of security in key parts of the network to detect, contain and ultimately stop an attack.
The basic layers and descriptions of defense-in-depth, in order of deployment, include the following.
· Authentication Layer – authenticates your users before allowing them access to your network.
· Perimeter Layer – filters unwanted network sessions from entering your network, and provides application inspection and enforces RFC compliant behavior to network sessions. Also protects you from DoS and DDoS attacks
· Network Intrusion Prevention Layer – after you have allowed traffic into your network, intrusion prevention will examine this traffic to ensure that it’s valid and does not contain malicious content such as viruses worms, adware, spyware, botware, trojans, or does not behave in a manner that would indicate replicating worms or scanners.
· Host Intrusion Prevention Layer - at this point your network traffic has been examined at three different levels. Host intrusion prevention is the final layer. This technology includes antivirus software, and software that looks at the behavior of your host or server and ensures that the behavior is not indicative of malicious software. The following is a sample of bad behavior on a host: a buffer overflow followed by code being executed and executed from the buffer, the execution of an image that was recently downloaded from the Internet, a non-privileged program self modifying to raise its privileges, a non-privileged hosts trying to set the network interface card into promiscuous mode to be used for network sniffing, a browser listening on a network socket for outside connections.
Along with deploying and the four standard layers of Defense-in-depth, you also need to deploy Security Best Practices – this encompasses many operational aspects of security, a good source for this information is Normally security best practices would include things such as:
· Applying current operating system patches
· Applying Current host and server hot fixes
· Applying Current Application Patches
· Enforcing Secure usernames and passwords
· Deploying Configuration best practices as recommended by the vendor
· Deploying Current anti-virus or IPS signatures
· Hardening Host security
· Hardening server security
· Hardening Network device and security device configuration
· Processes and procedures to respond to security breaches and disasters
· Processes and procedures to correlate and identify attacks, processes and procedures used to respond after an attack
Defense in-depth is the key to stopping most, but not all, network and computer related attacks. It’s a concept of deploying several layers of defense that mitigate security threats. Many hackers are looking for what is called “low hanging fruit”, or easy targets to attack. With defense in-depth applied, attackers will usually either get frustrated and move on to the next target, or stop the attacks altogether deterred by the security you’ve put in place.
Even with defense in depth in place, don’t get lulled into a sense of false security. A patient hacker, a very skilled hacker, a disgruntled employee or far ranging new security vulnerabilities will always pose a threat to any security environment.

No comments:

With Great Power Comes Great Responsibility....raise the bar

With Great Power Comes Great Responsibility....raise the bar
Get Secure