Security Laboratory

Security Laboratory: Defense In Depth Series


Hybrid Threats - June 18th, 2008
Can you build a Defense in Depth architecture without an architect? - Updated May 13th, 2008
The Attack Surface Problem - November 6th, 2007
The Uniform Method of Protection to Achieve Defense-in-Depth - February 26th, 2007
Security Convergence and The Uniform Method of Protection to Achieve Defense in Depth - September 7th, 2007
Protected Enclaves Defense-in-Depth - February 26th, 2007
Information Centric Approach to Defense-in-Depth - February 26th, 2007
Vector Oriented Defense in Depth - February 26th, 2007
Role Based Access Control to Achieve Defense in Depth - Updated December 26th, 2007

The Uniform Method of Protection to Achieve Defense-in-Depth

February 26th, 2007
By Stephen Northcutt



The uniform method of protection for defense-in-depth generally involves a firewall separating the internal trusted zone from the Internet, most implementations have anti-virus in the mail store and forward on the servers and desktops. It generally means that all internal hosts receive the same level of protection from attack by the computer network infrastructure. It is the most commonly and easily implemented architecture and least effective in terms of achieving a high degree of information assurance unless all IT contained information assets are of equal importance to the organization.

Uniform protection

There are five primary architectural approaches to achieving defense-in-depth: uniform protection, protected enclaves, threat vector analysis, information centric protection, and role based access control. They are not mutually exclusive. Organizations with high value information assets will generally start with uniform protection and layer one or more additional approaches onto the architecture to achieve greater levels of protection. The simplest is uniform protection. Stick a firewall in place and call it done. So what's not to like?

Let's take a web field trip to http://www.maginot-line.com/ang/c_sommaire.htm[1], and open the virtual visit of the Maginot line. The second scene is from the Dallas News. What ever the Maginot line is, it surely seems complicated. Now, please stick with us and read the Wikipedia writeup, http://en.wikipedia.org/wiki/Maginot_Line.[2] At this point you may be asking, "What does this have to do with computer security?" The answer is a lot.

What are the IT security leadership lessons?

The term soft chewy center/hard crunchy outside is attributed to Bill Cheswick, a security researcher, and has become popular for discussing perimeter designs with technical people, especially the ones with firewall duties.[3] The perimeter, like the Maginot line, is a hard crunchy outside, but if you can somehow get past the perimeter you can do virtually anything you want with the soft chewy center.

How attackers can get past the firewall:

Does this mean there is no future for the uniform method to achieve defense-in-depth? No, the uniform method has a checkered past and a brighter future. Devices like the TippingPoint IPS[4-7], smarter switches with security capabilities from a number of security vendors, Cisco Network Admissions[8], as well as their security agent are starting to give security directors the ability to both harden the chewy center and deploy a conceptually simpler architecture.

1. http://www.maginot-line.com/ang/c_sommaire.htm
2. http://en.wikipedia.org/wiki/Maginot_Line
3. http://infosecuritymag.techtarget.com/2002/jun/basics.shtml
4. http://www.tippingpoint.com/
5. http://www.sans.org/whatworks/casestudy.php?id=101
6. http://www.sans.org/whatworks/casestudy.php?id=109
7. http://www.sans.org/whatworks/casestudy.php?id=105
8. http://www.sans.edu/resources/leadershiplab/ciscobook.php