Defense in Depth

Because a security solution is only as strong as its weakest link, network administrators are challenged to implement a security solution that protects a complex network. As a result, rather than deploying a single security solution, Cisco recommends multiple, overlapping solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and evaluation. Security solutions should also overlap in a way that eliminates any single point of failure.

Defense in Depth is a design philosophy that achieves this layered security approach. The layers of security present in a Defense in Depth deployment should provide redundancy for one another while offering a variety of defense strategies for protecting multiple aspects of a network. Any single points of failure in a security solution should be eliminated, and weak links in the security solution should be strengthened.

The Defense in Depth design philosophy includes recommendations such as the following:

■ Defend multiple attack targets in the network.

Key \ Topic

— Protect the network infrastructure.

— Protect strategic computing resources, such as via a Host-based Intrusion Prevention System (HIPS).

■ Create overlapping defenses. For example, include both Intrusion Detection System (IDS) and IPS protections.

■ Let the value of a protected resource dictate the strength of the security mechanism. For example, deploy more resources to protect a network boundary as opposed to the resources deployed to protect an end-user workstation.

■ Use strong encryption technologies, such as AES (as opposed to DES) or Public Key Infrastructure (PKI) solutions.

Consider the sample Defense in Depth topology shown in Figure 1-2. Notice the two e-mail servers—external and internal. The external e-mail server acts as an e-mail relay to the internal e-mail server. Therefore, an attacker attempting to exploit an e-mail vulnerability would have to compromise both e-mail servers to affect the internal corporate e-mail.

Also notice the use of a Network-based Intrusion Detection System (NIDS), a Network Intrusion Prevention System (NIPS), and a Host-based Intrusion Prevention System (HIPS). All three of these mitigation strategies look for malicious traffic and can alert or drop such traffic. However, these strategies are deployed at different locations in the network to protect different areas of the network. This overlapping yet diversified protection is an example of the Defense in Depth design philosophy.

However, if all security solutions in a network were configured and managed by a single management station, this management station could be a single point of failure. Therefore, if an attacker compromised the management station, he could defeat other security measures.

Figure 1-2 Defense in Depth

Internal e-Mail

Figure 1-2 Defense in Depth

Internal e-Mail

In the "Potential Attackers" section you read about five classes of attacks; Table 1-6 provides examples of overlapping defenses for each of these classes.

— Table 1-6 Defending Against Different Classes of Attacks

Attack Class

Primary Layer of Defense

Secondary Layer of Defense



Applications with integrated security


Firewall at the network edge



Protecting against unauthorized physical access



Protecting against unauthorized physical access

Video monitoring systems


Secured software distribution system

Real-time software integrity checking

0 0

Post a comment