Perhaps the best way to visualize Defense in Depth as it relates to Information
Security is to view the recent blockbuster movie: “The Two Towers”.
When the antagonists approached the perimeter defenses at Helm’s Deep,
they were first greeted by a volley of arrows. As they approached closer, rocks
and boiling oil was thrown on their heads. Then there was the actual wall to
contend with. As they brought up siege ladders, they were thrust back with long
poles. As they jumped on the tower ramparts they were engaged hand to hand.
But despite of the defenses due to the perceived value attached to defeating
Rohan, evil nearly prevailed.
As of late when one considers network and especially Internet security one
might wonder if good will prevail in the real world. But while the unvigilant
got hammered by SoBig.F and Blaster, we can rest assured that though internet
functionality might be compromised, and we may not be able to see our bank account
online, the data itself remains secure due to internal network defense in depth.
Defense In Depth
The Layers of Modern Network Security
While the bulk of the layers of network security occur inside the firewall,
it is important to realize that most all data is on a network where virtually
every other computer in the world has potential access.
At the most course level, routers and network devices can achieve some degree
of protection by filtering IP address. Routers function at the Network layer
in the TCP/IP protocol stack and can thus see the IP addressing information.
The router achieves this functionality through the use of ACL or access control
lists. This can block certain IP addresses or certain ports and thus control
The problem with this of course is that with the Web being an ever changing
environment to stay current with the ACL’s quickly becomes a nightmare.
But they can prevent things like your SQL database from being exposed on the
The next thing to consider moving in from the Wild Wild Web is the firewall.
This is a frequently discussed and often misunderstood aspect of defense in
depth. Firewalls can protect the internal network from the internet or a more
secure network from a less secure one. A firewall is one place where the nebulous
concepts outlined in the organizations Security Policy is expressed in hardware
and software. It controls what services are accessible, what IP addresses and
ranges are accessible and what ports can be accessed.
The overall idea of the firewall is a choke point in the network where all
traffice flows to is inspected and is potentially restricted. It is actually
a type of gateway that can be a router, computer, authentication server, or
a specialized hardware device. It monitors all traffic coming into and out of
the network based on predetermined rules.
General Types of Firewalls
Technically firewalls are considered to be packet filtering, proxy firewalls
or stateful firewalls.
Packet filtering firewalls are like packet filtering routers but with some
differences in implementation. Basically they work using ACL’s at the
network layer. This set up is very scaleable, high-performance and application
independent, but offers relatively low security compared to the other choices.
A proxy firewall acts as a middleman between the two parties and decides whether
or not the communication should be allowed. There is no direct connection between
the two parties, and thus this setup shields internal network information from
prying outside eyes. The proxy is the only machine with a visible IP address
on the internet. The proxy makes a copy of each incoming packet, changes the
source address and puts it on the wire to the destination address.
Proxy firewalls can be further divided into application level proxy firewalls
and circuit level proxy firewalls. Application level proxies inspect the entire
packet and make access decisions based on the header information and the content
of the packet. They allow for a high level of security because they allow the
greatest level of control, but they can be resource intensive and decrease network
performance because of the computing involved.
Circuit level proxies make filtering decisions based on header information,
IP addresses, ports, protocol type and protocol flags. They provide greater
flexibility than application level proxies, but less security.
The most advanced type of firewall is the stateful firewall which keeps track
of the actual communication process by use of a state table. It also follows
connectionless protocols like UDP, and the state and context of the data in
the packets are stored in the state table and updated continuously.
These different types of firewalls can be combined in layers and thus can
add depth to an organizations information defense.
For example, traffic that comes in from the untrusted network is first filtered
via packet filtering on the outer router. The traffic that makes it past this
phase is then sent to the screened host firewall or bastion host system which
applies more rules to the traffic and discards suspect packets. The traffic
then is sent to an interior screening router. Only after this does the traffic
move to the internal destination host. This type of DMZ setup is called a screened
The common misconception is at this point the internal network is safe. This
myth is probably encouraged by the booming firewall business. But there are
several things to think about that dispel that myth.
First of all no matter what study is cited, all evidence points to the fact
that a significant amount of intrusions come from hosts within the network.
Firewalls often do little to protect against viruses downloaded through email.
Also, they do not protected against rogue modem installations. And most importantly,
a firewall is no substitute for informed admins and users.
No backup no recovery is an often repeated adage in Information Security.
Valuable data is not only exposed to people with malicious intent, but also
suffers loss from hardware failure, and user oversight as well as acts of nature.
Redundant hardware addresses the issue of hardware failure and offsite storage
the last issue.
Access controls keep important organizational data from being accessed inappropriately.
Public Key cryptography insures data confidentiality in storage. When used on
the wire, it can adversely impact another important layer of defense, intrusion
Intrusion detection can help determine whether an organization’s systems
have been compromised. There are two basic types of IDS, host based and network
based. Host based frequently comes out of the box with an OS like Windows Server
2003. It must be configured, and it should be centrally logged to save Admin
time. Often these are set up on critical machines only like Domain Controllers
or network storage servers.
Network based IDS’s can be Signature-Based or Behavior Based. Signature
based IDS’s are based on the fact that attacks have certain patterns or
signatures. Vendors do updates on this IDS’s similar to Antivirus software
makers, when new attacks are discovered, they are added to the signature base.
This type is also called rules based IDS. A model based approach looks for known
procedures to breach a network like scanning certain ports. A State Based IDS
looks for exchange of data between source and destination to look for malicious
Behavior based IDS on the other hand compares current traffic to a reference
of normal network behavior. The drawback is that this can produce false negatives.