The SANS Technology Institute

Security Laboratory

Security Laboratory: Defense In Depth Series

Hybrid Threats - June 18th, 2008
Can you build a Defense in Depth architecture without an architect? - Updated May 13th, 2008
The Attack Surface Problem - November 6th, 2007
The Uniform Method of Protection to Achieve Defense-in-Depth - February 26th, 2007
Security Convergence and The Uniform Method of Protection to Achieve Defense in Depth - September 7th, 2007
Protected Enclaves Defense-in-Depth - February 26th, 2007
Information Centric Approach to Defense-in-Depth - February 26th, 2007
Vector Oriented Defense in Depth - February 26th, 2007
Role Based Access Control to Achieve Defense in Depth - Updated December 26th, 2007

Protected Enclaves Defense-in-Depth

February 26th, 2007
By Stephen Northcutt

Protected enclaves simply means subdividing the internal network so that it is not one large zone with no internal protections. This architectural approach to information security defense-in-depth can be accomplished in a number of ways including:

• Network Admissions Control - Where a client (supplicant) must pass muster with the networks policy server before being able to connect to resources on the network.[1]
• Internal firewalls - Use of firewalls is to enforce a security policy between departments and business units, in very large organizations, or between the "core" organization and its acquisitions, divestitures and joint ventures. The primary reason to use firewalls in this manner is to isolate or compartmentalize groups and the sensitive data they handle from ... well, everyone else![2]
• Internal firewalls at the host level - These can be software based (personal firewalls) or hardware based such as the 3Com embedded firewalls and policy server that are host-based, hardware-embedded firewalls for desktops, servers and notebooks. These firewalls help to protect individual systems inside or outside the perimeter, wherever an additional layer of security is needed.[3]
• VLANS - Though many argue VLANS should not be used to enforce security[4], the simple truth is you have to pass through an Access Control List to travel from one VLAN to another.[5][6] Since you have already paid for the switch, seriously consider taking advantage of the tool to help lock down your network.
• VPNs - Not only do they give you confidentiality, but they also enforce policy that only hosts authorized to connect to other hosts can do so. This could be very helpful in a worm outbreak.[7]

The application for a computer security manager is pretty simple. Though there is some operational configuration overhead, these architectural approaches do not need to add a substantial amount of cost, and they buy you a lot of security. The biggest potential gotcha is that they can reduce throughput and or add latency. Test thoroughly in a lab environment before procurement and deployment. All of this information is covered in detail in SANS Perimeter Protection In-Depth.[8]

1. http://www.sans.edu/resources/musings/ciscobook.php
2. http://www.corecom.com/external/livesecurity/firewallplace.html
3. http://www.3com.com/en_US/jump_page/embedded_firewall.html
4. https://honor.icsalabs.com/pipermail/firewall-wizards/2004-December/017670.html
5. http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800ddcfb.html#wp1050355
6. http://www.sans.org/resources/perlscript.php
7. http://www1.tools.ietf.org/wg/tsvwg/draft-ietf-tsvwg-vpn-signaled-preemption/draft-ietf-tsvwg-vpn-signaled-preemption-02-from-01.diff.html
8. http://www.sans.org/training/description.php?tid=422