Defense in Depth

Because a security solution is only as strong as its

weakest link, network administrators are challenged to
implement a security solution that protects a complex
network. As a result, rather than deploying a single
security solution, Cisco recommends multiple,
overlapping solutions. These overlapping solutions target
different aspects of security, such as securing against
insider attacks and securing against technical attacks.
These solutions should also be subjected to routine
testing and evaluation. Security solutions should also
overlap in a way that eliminates any single point of failure.

Defense in Depth is a design philosophy that achieves this

layered security approach. The layers of security present
in a Defense in Depth deployment should provide
redundancy for one another while offering a variety of
defense strategies for protecting multiple aspects of a
network. Any single points of failure in a security solution
should be eliminated, and weak links in the security
solution should be strengthened.

The Defense in Depth design philosophy includes

recommendations such as the following:

■ Defend multiple attack targets in the network.

" Key
\ Topic

— Protect the network infrastructure.

— Protect strategic computing resources, such as via a

Host-based Intrusion Prevention System (HIPS).

■ Create overlapping defenses. For example, include both

Intrusion Detection System (IDS) and IPS protections.

■ Let the value of a protected resource dictate the

strength of the security mechanism. For example, deploy
more resources to protect a network boundary as
opposed to the resources deployed to protect an end-
user workstation.

■ Use strong encryption technologies, such as AES (as

opposed to DES) or Public Key Infrastructure (PKI)
solutions.

Consider the sample Defense in Depth topology shown in

Figure 1-2. Notice the two e-mail servers—external and
internal. The external e-mail server acts as an e-mail relay
to the internal e-mail server. Therefore, an attacker
attempting to exploit an e-mail vulnerability would have to
compromise both e-mail servers to affect the internal
corporate e-mail.

Also notice the use of a Network-based Intrusion

Detection System (NIDS), a Network Intrusion Prevention
System (NIPS), and a Host-based Intrusion Prevention
System (HIPS). All three of these mitigation strategies
look for malicious traffic and can alert or drop such traffic.
However, these strategies are deployed at different
locations in the network to protect different areas of the
network. This overlapping yet diversified protection is an
example of the Defense in Depth design philosophy.

However, if all security solutions in a network were

configured and managed by a single management station,
this management station could be a single point of failure.
Therefore, if an attacker compromised the management
station, he could defeat other security measures.

Figure 1-2 Defense in Depth

Internal e-Mail

Figure 1-2 Defense in Depth

Internal e-Mail
In the "Potential Attackers" section you read about five
classes of attacks; Table 1-6 provides examples of
overlapping defenses for each of these classes.

Table 1-6 Defending Against Different Classes of Attacks

Table 1-6 Defending Against Different Classes of Attacks

Attack Secondary Layer of

Primary Layer of Defense
Class Defense
Applications with
Passive Encryption
integrated security
Firewall at the network
Active HIPS
edge
Protecting against
Insider unauthorized physical Authentication
access
 Protecting against Video monitoring
Close-in
unauthorized physical systems
access
Secured software Real-time software
Distribution
distribution system integrity checking

Continue reading here: Understanding IP Spoofing

Was this article helpful?