119
8Chapter
Layer upon Layer
(Defense in Depth)
e best defense…is a lot of defense.
Frank Hayes Sr.
Columnist for Computerworld
Introduction
is chapter is about defense in depth, a multilayer, multidimensional protection scheme designed
to absorb and progressively weaken an attack. e term defense in depth has for many years been a
catch-all phrase for the information security industry, so it is probably worthwhile to spend some
time explaining exactly what this tactic is.
Let’s start with what defense in depth is not. Defense in depth is not just technology. e
traditional understanding of defense in depth has been based on a fi ve-layer model that begins
with perimeter defenses and progresses through network, host, application, and data protections.
Companies that have implemented protections at two or more of these layers have “defense in
depth.” Vendor products that provide these protections are “defense-in-depth” technologies. e
primary problem with this model is that it is technology-centric; it doesn’t properly address the
people and process (operations) side of the equation. Furthermore, advances in technology and
services have greatly eroded the usefulness of this model. For example, wireless technologies and
“any data, any time, on any device” initiatives have completely redefi ned the term perimeter.
Online and cloud computing services connect users directly to applications, bypassing perimeter,
network, and host controls. ese advances require us to think of defense in depth in an entirely
diff erent manner. Figure 8.1 shows how cloud computing has turned the old defense-in-depth
model on its head.
What is defense in depth? Defense in depth is a multilayer and multidimensional protec-
tion scheme; multilayered in the sense that an attacker must overcome more than one defensive
measure to achieve their objective. It is multidimensional because those defenses address diff erent
TAF-K11348-10-0301-C008.indd 119TAF-K11348-10-0301-C008.indd 119 8/18/10 3:08:39 PM8/18/10 3:08:39 PM
120 ◾ Security Strategy: From Requirements to Reality
aspects of an attack; some protect, some detect, and others respond. Remember, the primary
objective behind defense in depth is time. A good defense-in-depth implementation is designed to
absorb and progressively weaken an attack, thus providing the responder with suffi cient time to
organize the resources and weaponry required to repel the attack. is requires the application of
multiple overlapping protections at the people, technology, and operational process levels.
irteenth-century castles are classic examples of defense in depth. ey not only provided
multiple barriers (layers) that the attacker had to overcome, but they also addressed the essential
dimensions of a good defense—observation, rapid response, and weaponry. Castles contained a
core (inner ward) where the most valued assets were kept; surrounding the core was an inner wall,
with one or two entry points (gates) and multiple fortifi cations, including archery slits, kill holes,
and stockpiles of weaponry (see Figure 8.2).
e inner wall provided a fallback position for the king’s soldiers should the outer wall be
breached. is seldom happened. e outer walls were massive, surrounded by moats or ditches
and supplied with ample watchtowers for observing the attackers and directing responses.
Wide passageways in and atop the wall allowed troops to rapidly deploy to points of attacks.
An ample cache of weapons at each defensive position gave the defenders a decided advan-
tage. e outer gates were equally fortifi ed, reinforced with iron, barred with massive beams,
and protected by drawbridges. So daunting were castle defenses that prior to the invention of
the cannon, most commanders chose to besiege rather than attack a castle. e good news:
ere are no cannons on the Internet and laying siege to a site (i.e., denial of service) is a short-
lived attack.
Castles didn’t start out as defense-in-depth structures; 11th-century castles were primar-
ily wooden-fenced mounds easily defeated with a good fi re. In the 12th century the wooden
fence was replaced with a stone wall and a tall stone tower or “keep.” e keep was like a castle
within the castle and was generally considered to be the fi nal defensive structure. Keeps were
also used as living quarters and for storing armory. e battering ram was the primary nemesis
of these structures because keeps were not designed to allow defenders to actively fi ght back.
Later in the 12th century, keeps were constructed on the outer walls to provide observation and
the means to fi ght back. e inner court of the castle became known as the “ward.” Overhangs
were added to the walls, providing a platform on the top of the wall from which defenders
could shoot arrows, drop stones, pour hot liquids, and so on. Beginning in the 13th century,
a second wall around the structure was added creating a second or “outer” ward. Ditches and
moats were constructed around the outer wall and strong gatehouses with metal-reinforced
Old model
New model
In multitenant
“cloud” environments,
defense in depth
begins with the data.
Defense in depth
Perimeter
security
Network
security
Host
security
Application
security
Data
security
Perimeter
security
Network
security
Host
security
Application
security
Data
security
Figure 8.1 Old and new fi ve-layer model.
TAF-K11348-10-0301-C008.indd 120TAF-K11348-10-0301-C008.indd 120 8/18/10 3:08:39 PM8/18/10 3:08:39 PM
Layer upon Layer (Defense in Depth) ◾ 121
doors and drawbridges were added. e wall walkways were broadened, and slotted stones
were added to the top to provide cover for the defenders. Finally, archery slits and kill holes
were added to provide the defenders with good cover and a wide fi eld of fi re. ese improve-
ments in castle fortifi cations made it possible for a relatively small force to hold out against a
much larger adversary. e evolution of castle defenses off ers a good analogy for information
security; just as castles changed in response to changing threats, so also must our information
security defenses.
Defense-in-Depth Objectives Identifi cation
Other chapters in this book provide specifi c tactical information for implementing defense-in-
depth controls; this chapter only addresses objectives identifi cation for defense in depth. It is
important to understand that the primary objective behind defense in depth is time. is has two
aspects: fi rst, require the attacker to expend lots of time and resources attacking, and second, have
near real-time attack detection and rapid response capabilities. is is much easier said than done
in a world of zero day exploits, worms, and distributed (BOT) attacks, not to mention disparate
security controls that are scattered across multiple governing authorities.
Tower
Tower
Tower
Tower
Drawbridge
and gate
Ocean
gate/dock
Middle
tower
Inner
ward
Outer
ward
Moat
Moat
Middle
tower
Gate
house
Gate
house
Defensive
positions
Archery slits
weapons cache
Figure 8.2 Castle ground plan.
TAF-K11348-10-0301-C008.indd 121TAF-K11348-10-0301-C008.indd 121 8/18/10 3:08:39 PM8/18/10 3:08:39 PM
122 ◾ Security Strategy: From Requirements to Reality
Today defense in depth really becomes a question of what you have direct control over (your
enclave), how that environment relates to other enclaves and the supporting infrastructure, cou-
pled, of course, with the threats that are present in each instance. Today’s computer environments
require more than technological controls. People and operational processes are critical to overall
security and must always be taken into consideration. In the past we were concerned primarily
with what was coming into our environment; today, we must be equally concerned with what is
going out.
Information Environments
Today we fi nd three common information environments: in-house, hybrid, and hosted. In-house
is a localized computing environment (enclave) consisting of people, technology (i.e., end-user
systems, servers, communications systems, etc.), and operational practices that are under the con-
trol of a single authority governed by organizational policy. On the other side of the spectrum is
the hosted environment consisting of people, technology, and operations that are under the con-
trol of an external authority governed by contract. is is not to say that hosting environments
are not governed by internal organizational policies; they undoubtedly are, but the customer’s
security requirements are seldom the same as the provider’s, and these diff erences are usually
specifi ed in the service contract. It is also important to note that the hosting environment is also
an enclave; to the provider it is a localized computing environment under the control of a single
authority. e hybrid environment combines in-house and hosted services to form an environ-
ment with multiple control authorities and multiple governing vehicles (policies and contractual
agreements).
Attached to these environments are two other elements that must be considered for objectives
identifi cation: networks and supporting infrastructure. Networks provide data transport between
enclaves. Network service providers also consist of people, technology, and operational practices
(which may or may not be under a single authority) governed by contractual agreement(s). e
supporting infrastructure includes all the organizational capabilities that provide support for
the information processing environment, including human resources, training, and purchasing.
Each of these elements has diff erent information security requirements and very diff erent security
objectives.
Threats
Each environment is also subject to a number of diff erent threats including natural disasters,
physical hazards, and human malfeasance. Natural disasters include fl oods, earthquakes, light-
ning, solar fl ares, fi res, and other naturally induced hazards. Physical hazards are human-induced
threats, including structural failures (e.g., building collapse), machinery, and equipment failures
(e.g., ventilation systems), water damage from plumbing or fi re suppression systems, explosions,
hazardous material spills, and so on. Human malfeasance includes acts of sabotage, terrorism, spy-
ing, hacking, riots and looting, criminal enterprises, corrupt offi cials, and disgruntled employees,
as well as damages from careless or accidental actions.
Natural disasters are typically addressed by business continuity planning (BCP) and/or disas-
ter recovery planning (DRP) objectives. ese objectives may include some physical hazards, but
TAF-K11348-10-0301-C008.indd 122TAF-K11348-10-0301-C008.indd 122 8/18/10 3:08:40 PM8/18/10 3:08:40 PM
Layer upon Layer (Defense in Depth) ◾ 123
the majority of physical hazards are addressed by physical security and facility operational security
objectives. Human malfeasance poses the greatest danger to information security and is by far the
biggest driver of defense-in-depth objectives. Human malfeasance can be grouped into four basic
types of activities:
1. Passive attacks—traffi c analysis, data capture (sniffi ng attacks), and other types of eavesdropping
2. Active attacks—session stealing, data tampering, vulnerability exploits, malicious code
introduction, and other types of attacks that generate traffi c or unnecessarily consume
resources
3. Insider attacks—passive or active attacks generated by someone with authorized physical or
logical access
4. Distribution attacks—malicious modifi cations to hardware or software at the source (man-
ufacturer) or during distribution
Objectives identifi cation must include measures to address these attacks, as well as the threats
posed by incidental human error.
Environmental Objectives
Now let’s take a look at the defense-in-depth objectives for the various information environments
we have identifi ed.
In-House Objectives
e emphasis for in-house enclaves is usually the perimeter/enclave boundary, with additional
defenses at the network and host levels. Objectives are focused on well-defi ned and controlled gate-
ways between the enclave and external entities. Objectives within this environment will vary depend-
ing on business type, data value, and applicable regulations, but the following list is fairly common.
1. Operational excellence for security controls
2. High assurance identity management
3. Timely incident response and resolution
4. Limited and controlled boundary access points
5. Eff ective logging, detection, and alerting capabilities
6. Superior personal supervision, training, and skills management
Note that these objectives provide coverage for people (6), technology (4–5), and operational
(1–3) security while promoting the principles of observation (5) and rapid response (3). What
these objectives do not fully address are insider attacks and attacks against applications and data.
is, however, is not uncommon for in-house environments; a surprising number of companies
simply do not address insider threats.
Limited and Controlled Boundary Access Points
As stated earlier, this is a main security focus for in-house environments. Castles divided defenses
into zones that progressively limited access, and when you think about it, access is the basis of all
security. Confi dentiality is about limiting read access to information, integrity is about limiting
TAF-K11348-10-0301-C008.indd 123TAF-K11348-10-0301-C008.indd 123 8/18/10 3:08:40 PM8/18/10 3:08:40 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.