Defense in Depth

1.A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many remain underneath it. 2.Defense in depth helps you protect network resources even if one of the security layers is compromised. After all, no single security component can be guaranteed to withstand every attack it might need to face. 3.We operate in a real world of system misconfigurations, software bugs, disgruntled employees, and overloaded system administrators. 4.Moreover, any practical security design needs to accommodate business needs that might require us to open certain firewall ports, leave additional services running on the server, or prevent us from applying the latest security patch because it breaks a business-critical application.

Defense in Depth 1.Treating perimeter security components as parts of a coherent infrastructure allows us to deploy them in a way that accounts for the weaknesses and strengths of each individual component. 2.Of course, given the requirements of your organization, you might choose not to implement every component discussed here.

Components of Defense in Depth 1.The Perimeter 2.The Internal Network 3.The Human Factor

The Perimeter When we think of network security, we most often think of the perimeter. As we mentioned earlier in this chapter, the perimeter includes any or all of the following: 1.Static packet filter 2.Stateful firewall 3.Proxy firewall 4.IDS and IPS 5.VPN device

The Internal Network On the internal network, we could have the following "perimeter" devices: 1.Ingress and egress filtering on every router 2.Internal firewalls to segregate resources 3.IDS sensors to function as "canaries in a coal mine" and monitor the internal network On protected systems, we can use the following: 1.Host-centric (personal) firewalls 2.Antivirus software 3.Operating system hardening 4.Configuration management 5.Audits

The Internal Network Configuration management can enforce the following: 1.That all Windows machines have a particular service pack installed 2.That all Linux machines have a specific kernel running 3.That all users with remote-access accounts have a personal firewall 4.That every machine has antivirus signatures updated daily 5.That all users agree to the acceptable-use policy when they log on

The Internal Network An audit typically progresses like this: 1.An informational meeting is held to plan the audit. At the first informational meeting, the auditor finds out what the client wants and expects and establishes risks, costs, cooperation, deliverables, timeframes, and authorization. 2.Fieldwork begins (implementing the audit). When the client is ready, the auditor performs the audit in line with what we established in the planning session. 3.The initial audit report (technical report) takes place. The auditor might prefer to give an initial audit report to the technical representatives of a client before their management sees the final report. This provides the technical staff with an opportunity to address some concerns before the final report goes to management. 4.The final audit report (a nontechnical report with the final technical report) takes place. The final audit report typically contains an executive summary, the general approach used, the specific methodology used, and the final technical report. 5.Follow-up occurs (verified recommendations are performed).

Human Factor 1.Authority Who is responsible. 2.Scope Who it affects. 3.Expiration When it ends. 4.Specificity What is required. 5.Clarity Can everyone understand it? User awareness of your organization's security policy: 1.Have every user sign an acceptable-use policy annually. 2.Set up a security web page with policies, best practices, and news. 3.Send a "Security Tip of the Week" to every user.