Security Laboratory

Security Laboratory

Security Laboratory: Defense In Depth Series

Other Related Articles in Security Laboratory: Defense In Depth Series


The Uniform Method of Protection to Achieve Defense-in-Depth


By Stephen Northcutt


The uniform method of protection for defense-in-depth generally involves a firewall separating the internal trusted zone from the Internet, most implementations have anti-virus in the mail store and forward on the servers and desktops. It generally means that all internal hosts receive the same level of protection from attack by the computer network infrastructure. It is the most commonly and easily implemented architecture and least effective in terms of achieving a high degree of information assurance unless all IT contained information assets are of equal importance to the organization.

Uniform protection

There are five primary architectural approaches to achieving defense-in-depth: uniform protection, protected enclaves, threat vector analysis, information centric protection, and role based access control. They are not mutually exclusive. Organizations with high value information assets will generally start with uniform protection and layer one or more additional approaches onto the architecture to achieve greater levels of protection. The simplest is uniform protection. Stick a firewall in place and call it done. So what's not to like?

Let's take a web field trip to http://www.maginot-line.com/ang/c_sommaire.htm[1], and open the virtual visit of the Maginot line. The second scene is from the Dallas News. What ever the Maginot line is, it surely seems complicated. Now, please stick with us and read the Wikipedia writeup, http://en.wikipedia.org/wiki/Maginot_Line.[2] At this point you may be asking, "What does this have to do with computer security?" The answer is a lot.

What are the IT security leadership lessons?

  • The French had finite resources, to build the line meant not investing in other things
  • The closest analogy of the line to computer security is a really big tight firewall
  • The Germans said, the heck with attacking them at their strongest point and went around it
  • Because the French had over-invested in the Maginot line, they had a soft chewy center
  • It is considered one of the greatest military failures

The term soft chewy center/hard crunchy outside is attributed to Bill Cheswick, a security researcher, and has become popular for discussing perimeter designs with technical people, especially the ones with firewall duties.[3] The perimeter, like the Maginot line, is a hard crunchy outside, but if you can somehow get past the perimeter you can do virtually anything you want with the soft chewy center.

How attackers can get past the firewall:

  • VPNs
  • RAS modems
  • Email attachments
  • Tunnel through HTTP/HTTPS
  • Wireless
  • USB thumb drives
  • Take the laptop home, get it infected, plug it back into the corporate network

Does this mean there is no future for the uniform method to achieve defense-in-depth? No, the uniform method has a checkered past and a brighter future. Devices like the TippingPoint IPS[4-7], smarter switches with security capabilities from a number of security vendors, Cisco Network Admissions[8], as well as their security agent are starting to give security directors the ability to both harden the chewy center and deploy a conceptually simpler architecture.

1. http://www.maginot-line.com/ang/c_sommaire.htm
2. http://en.wikipedia.org/wiki/Maginot_Line
3. http://infosecuritymag.techtarget.com/2002/jun/basics.shtml
4. http://www.tippingpoint.com/
5. http://www.sans.org/whatworks/casestudy.php?id=101
6. http://www.sans.org/whatworks/casestudy.php?id=109
7. http://www.sans.org/whatworks/casestudy.php?id=105
8. http://www.sans.edu/resources/leadershiplab/ciscobook.php