Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Defense In Depth.
There was a time, when the Internet was young and optimistic and not nearly so hostile as it is now, when the main defense of an Internet connected site was a single simple firewall at the network border.
Of course, this was also a time when the majority of users had a dumb terminal, if anything, that remained on their desk and the data that they worked with was on a DEC VAX or some other minicomputer maintained by the high priests of the IT department.
Those days are long, long gone.
Defense In Depth refers to an information security strategy where multiple redundant layers of defense are using to protect information assets. This strategy can mitigate technology failures, vendor-specific exploits, and multiple attack vectors that simply could not be handled by a single layer of defense.
For example, consider a Windows workstation in the controller’s office of your business. The network as a whole is probably protected by at least one firewall. There is likely a router in between this workstation and the Internet as well, which has its own abilities to accept or deny traffic. An Intrusion Detection System may be monitoring the traffic between the Internet and the computers in the controller’s department, watching for signs of attack or compromise. Finally, the machine itself is probably running a host-based firewall (either the Microsoft-supplied one that comes with Windows or a third-party installation), virus scanner, adware scanner, and so on. The thought is that if a threat manages to get past the border firewall, it still needs to get past the other measures in place before data can be compromised.
Another example – most companies run different virus detection packages on their mail server and their workstations, despite the fact that the licensing is often more expensive than just running one in both places. Why do this? Because if a virus can elude one of those packages but not the other, it will still be stopped. But an antivirus monoculture has no such built-in safeguards.
Two things to keep in mind when deploying a Defense In Depth strategy:
- Consider mixing vendors, or at least mixing up product lines and operating systems among a single vendor’s offerings. Imagine that your office is an all-Cisco shop, from the firewall to the core routing to the wireless network. Now imagine that a new vulnerability is discovered, specific to Cisco embedded operating systems, that allows for traffic to be exfiltrated without tripping any sensors. You’re going to be a lot more vulnerable than someone who sprinkled in some snort boxes, Vyatta routers, or some other non-Cisco equipment when designing the network.
- Employing proper Defense In Depth can be expensive, especially if you go with a multi-vendor approach. It means buying multiple products with overlapping functionality. It means juggling more physical hardware. It means justifying purchasing new equipment rather than repurposing old stuff to cover a functional hole. It’s an expense that can be difficult to justify because the return on investment is not clear to the layman – but it is vitally important to make the case.
In the modern information environment, where network borders are fuzzy, where corporate data is showing up on personally owned laptops and smartphones, where people might be using their work laptop to help with their kids’ homework, the old “hard outside and a chewy center” model of a single network firewall at the office just doesn’t cut it any more. Defense In Depth is an important concept to remember when implementing your policies and technologies.